Javscript - Username check

randombar · 20-09-2007 7:32pm #1

Hi Lads,

I was just wondering if this was an ok way to check a username and protect a username and password required page?

What happens if they disable javascript?

<?php 
session_start();
$username=$_SESSION['MM_Username'];		

if ($username=="")	{
 print "<script type=\"text/javascript\">";
 print " self.location='index.php';";
 print "</script>";
 }
 ?>

forbairt · 20-09-2007 8:07pm

think about it for a second ...

you're letting the client decide what page they want to go to ...

what happens if they have javascript turned off ? ...

It might be an ok solution on some internal page ... where security doesn't matter ... but ... no ... its not a good solution

mneylon · 20-09-2007 8:11pm

It depends on your definition of protection

Option 1 - Disable javascript - I get in

Option 2 - I look at the javascript and get in that way

If you want a basic password protection use .htaccess

If you want something more advanced there are plenty of ways of doing it, but in any case doing it client-side is not the solution

Winters · 20-09-2007 10:12pm

GaryCocs wrote:

Hi Lads,

I was just wondering if this was an ok way to check a username and protect a username and password required page?

What happens if they disable javascript?

If they disable JavaScript then they will generally get a blank page. Something you should look into that would be far easier would be the header function in PHP. See below.

[php]<?php
session_start();
$username=$_SESSION;

if (empty($username)) {
header ("Location: index.php");
}
?>
[/php]

Much neater, quicker and does not wait for the page and the javascript to load before redirecting.

randombar · 21-09-2007 12:38am

Hi Winters,
Nice one for that, just have to change that code in a few pages, was wondering about that for a while. I wasn't sure if you could disable the javascript on a page before the page loaded!
The .htaccess? How does that work black knight?
Thanks

forbairt · 21-09-2007 8:59am

I could explain ...

but I'll point you at ... http://www.javascriptkit.com/howto/htaccess.shtml

Your hosting provider may also have a handy feature in their cpanel or similar that will allow you to turn on password protection for a directory ...

It will mean however that you get a nasty Alert box style dialogue asking you to enter username / password

seamus · 21-09-2007 9:43am

Remember when you use the php header() function to redirect someone, to call exit() afterwards.

When you redirect someone with header(), the browser moves off to that page, but the php script continues to execute. So theoretically someone can inject some variables into your script, even if they don't the right username and password.

randombar · 21-09-2007 9:49am

So the code is going to look something like this?

<?php 
session_start();
$username=$_SESSION['MM_Username'];        

if (empty($username))    {
 header ("Location: index.php");
 exit();
 }


?>

seamus · 21-09-2007 10:26am

Something like that, but that piece of code in particular won't work. Don't forget your semicolons

randombar · 21-09-2007 10:41am

Haha eh ya . . . . what semicolons

democrates · 21-09-2007 6:02pm

Based on that question I should warn about hidden form fields too. 'View Source' and the user sees them. Save the page and they can edit the values, open in their browser and submit.

You have to have security on the server, trust nothing that comes from the browser, in fact there may be no browser at all, a perl script can mimic any browser and let that person send any GET and POST name/value pairs they like to your script.

Javscript - Username check

Comments