Solved

Is it necessary to have authentication controls on function pages?

Posted on 2016-11-27
4
43 Views
Last Modified: 2016-11-27
On my admin pages I have this:

require 'functions/authentication.php';
isLoggedIn();

Open in new window


This just has some code to verify that the user is logged in and to redirect them if not.

I want to have some other functions on the page as well so let' say the above code changes to:

require 'functions/authentication.php';
require 'functions/otherFunctions.php';
isLoggedIn();
someOtherFunction();

Open in new window


If otherFunctions.php contains ONLY php functions, do I need to also add the isLoggedIn() function to otherFunctions.php?

I just ask because if you type in the path to the otherFunctions.php in the url, it displays the page. It doesn't show anything but the page can be accessed. I just wanted to know if that is a major security problem or not?
0
Comment
Question by:Black Sulfur
4 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 50 total points
ID: 41902874
I would probably write it this way so that the auth check is done before the client is able to do anything.  I'm assuming the 'isLoggedIn()' function redirects them to a login page if they are not logged in.  I have some included/required pages that look for a $_SESSION variable to be set and exit if it isn't.
require 'functions/authentication.php';
isLoggedIn();
require 'functions/otherFunctions.php';
someOtherFunction();

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41902993
Yeah, it redirects them to a login page if they aren't logged in. But, what I mean is I can view the function page in a url:

www.mysite.com/functions/otherFunctions.php

All this page contains is a bunch of functions that get called on other pages. So, I am asking if I need to have

require 'functions/authentication.php';
isLoggedIn();

Open in new window


on the actual otherFunctions.php page or can a user do nothing with this page by typing its url directly into the browser?
0
 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 150 total points
ID: 41902998
That page should not be available to the user.
Normally the includes are in a folder that is not public and not browseable.

HTH,
Dan
1
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 300 total points
ID: 41903017
otherFunctions.php contains ONLY php functions...
There are two answers here.

First answer (narrow and accurate):  A script that contains nothing but PHP function definitions and performs no actions at all is a large "no-op" receiving no input, creating no output, and having no effect on the state of the client or server.  It doesn't matter whether it is password-protected or not -- the "page" doesn't do anything.

Second answer (broad and more "real world"):  What Dan said.  This is a fairly standard design pattern that you will find in most frameworks.  The code fragments like functions.php are either located somewhere that is outside of the WWW root, or are restricted by .htaccess, or are started with some kind of code that disallows direct browsing.  CodeIgniter uses a statement like this to make sure that all routing comes through index.php
<?php defined('BASEPATH') or exit('No direct script access allowed');

Open in new window

So if it doesn't matter, why do it?  Because it is considered a good design (and security) practice to keep things as separated and isolated as possible, sharing as little scope as possible.  This minimizes the risk of spooky action at a distance.  Look around for articles about object-oriented design principles, particularly Separation of Concerns, and you'll find more of the current thinking about this topic.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now