Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Is it necessary to have authentication controls on function pages?

Posted on 2016-11-27
4
Medium Priority
?
55 Views
Last Modified: 2016-11-27
On my admin pages I have this:

require 'functions/authentication.php';
isLoggedIn();

Open in new window


This just has some code to verify that the user is logged in and to redirect them if not.

I want to have some other functions on the page as well so let' say the above code changes to:

require 'functions/authentication.php';
require 'functions/otherFunctions.php';
isLoggedIn();
someOtherFunction();

Open in new window


If otherFunctions.php contains ONLY php functions, do I need to also add the isLoggedIn() function to otherFunctions.php?

I just ask because if you type in the path to the otherFunctions.php in the url, it displays the page. It doesn't show anything but the page can be accessed. I just wanted to know if that is a major security problem or not?
0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 200 total points
ID: 41902874
I would probably write it this way so that the auth check is done before the client is able to do anything.  I'm assuming the 'isLoggedIn()' function redirects them to a login page if they are not logged in.  I have some included/required pages that look for a $_SESSION variable to be set and exit if it isn't.
require 'functions/authentication.php';
isLoggedIn();
require 'functions/otherFunctions.php';
someOtherFunction();

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41902993
Yeah, it redirects them to a login page if they aren't logged in. But, what I mean is I can view the function page in a url:

www.mysite.com/functions/otherFunctions.php

All this page contains is a bunch of functions that get called on other pages. So, I am asking if I need to have

require 'functions/authentication.php';
isLoggedIn();

Open in new window


on the actual otherFunctions.php page or can a user do nothing with this page by typing its url directly into the browser?
0
 
LVL 35

Assisted Solution

by:Dan Craciun
Dan Craciun earned 600 total points
ID: 41902998
That page should not be available to the user.
Normally the includes are in a folder that is not public and not browseable.

HTH,
Dan
1
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1200 total points
ID: 41903017
otherFunctions.php contains ONLY php functions...
There are two answers here.

First answer (narrow and accurate):  A script that contains nothing but PHP function definitions and performs no actions at all is a large "no-op" receiving no input, creating no output, and having no effect on the state of the client or server.  It doesn't matter whether it is password-protected or not -- the "page" doesn't do anything.

Second answer (broad and more "real world"):  What Dan said.  This is a fairly standard design pattern that you will find in most frameworks.  The code fragments like functions.php are either located somewhere that is outside of the WWW root, or are restricted by .htaccess, or are started with some kind of code that disallows direct browsing.  CodeIgniter uses a statement like this to make sure that all routing comes through index.php
<?php defined('BASEPATH') or exit('No direct script access allowed');

Open in new window

So if it doesn't matter, why do it?  Because it is considered a good design (and security) practice to keep things as separated and isolated as possible, sharing as little scope as possible.  This minimizes the risk of spooky action at a distance.  Look around for articles about object-oriented design principles, particularly Separation of Concerns, and you'll find more of the current thinking about this topic.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question