Solved

Is it necessary to have authentication controls on function pages?

Posted on 2016-11-27
4
41 Views
Last Modified: 2016-11-27
On my admin pages I have this:

require 'functions/authentication.php';
isLoggedIn();

Open in new window


This just has some code to verify that the user is logged in and to redirect them if not.

I want to have some other functions on the page as well so let' say the above code changes to:

require 'functions/authentication.php';
require 'functions/otherFunctions.php';
isLoggedIn();
someOtherFunction();

Open in new window


If otherFunctions.php contains ONLY php functions, do I need to also add the isLoggedIn() function to otherFunctions.php?

I just ask because if you type in the path to the otherFunctions.php in the url, it displays the page. It doesn't show anything but the page can be accessed. I just wanted to know if that is a major security problem or not?
0
Comment
Question by:Black Sulfur
4 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 50 total points
ID: 41902874
I would probably write it this way so that the auth check is done before the client is able to do anything.  I'm assuming the 'isLoggedIn()' function redirects them to a login page if they are not logged in.  I have some included/required pages that look for a $_SESSION variable to be set and exit if it isn't.
require 'functions/authentication.php';
isLoggedIn();
require 'functions/otherFunctions.php';
someOtherFunction();

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41902993
Yeah, it redirects them to a login page if they aren't logged in. But, what I mean is I can view the function page in a url:

www.mysite.com/functions/otherFunctions.php

All this page contains is a bunch of functions that get called on other pages. So, I am asking if I need to have

require 'functions/authentication.php';
isLoggedIn();

Open in new window


on the actual otherFunctions.php page or can a user do nothing with this page by typing its url directly into the browser?
0
 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 150 total points
ID: 41902998
That page should not be available to the user.
Normally the includes are in a folder that is not public and not browseable.

HTH,
Dan
1
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 300 total points
ID: 41903017
otherFunctions.php contains ONLY php functions...
There are two answers here.

First answer (narrow and accurate):  A script that contains nothing but PHP function definitions and performs no actions at all is a large "no-op" receiving no input, creating no output, and having no effect on the state of the client or server.  It doesn't matter whether it is password-protected or not -- the "page" doesn't do anything.

Second answer (broad and more "real world"):  What Dan said.  This is a fairly standard design pattern that you will find in most frameworks.  The code fragments like functions.php are either located somewhere that is outside of the WWW root, or are restricted by .htaccess, or are started with some kind of code that disallows direct browsing.  CodeIgniter uses a statement like this to make sure that all routing comes through index.php
<?php defined('BASEPATH') or exit('No direct script access allowed');

Open in new window

So if it doesn't matter, why do it?  Because it is considered a good design (and security) practice to keep things as separated and isolated as possible, sharing as little scope as possible.  This minimizes the risk of spooky action at a distance.  Look around for articles about object-oriented design principles, particularly Separation of Concerns, and you'll find more of the current thinking about this topic.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses how to create an extensible mechanism for linked drop downs.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now