• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 58
  • Last Modified:

Is it necessary to have authentication controls on function pages?

On my admin pages I have this:

require 'functions/authentication.php';
isLoggedIn();

Open in new window


This just has some code to verify that the user is logged in and to redirect them if not.

I want to have some other functions on the page as well so let' say the above code changes to:

require 'functions/authentication.php';
require 'functions/otherFunctions.php';
isLoggedIn();
someOtherFunction();

Open in new window


If otherFunctions.php contains ONLY php functions, do I need to also add the isLoggedIn() function to otherFunctions.php?

I just ask because if you type in the path to the otherFunctions.php in the url, it displays the page. It doesn't show anything but the page can be accessed. I just wanted to know if that is a major security problem or not?
0
Black Sulfur
Asked:
Black Sulfur
3 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
I would probably write it this way so that the auth check is done before the client is able to do anything.  I'm assuming the 'isLoggedIn()' function redirects them to a login page if they are not logged in.  I have some included/required pages that look for a $_SESSION variable to be set and exit if it isn't.
require 'functions/authentication.php';
isLoggedIn();
require 'functions/otherFunctions.php';
someOtherFunction();

Open in new window

0
 
Black SulfurAuthor Commented:
Yeah, it redirects them to a login page if they aren't logged in. But, what I mean is I can view the function page in a url:

www.mysite.com/functions/otherFunctions.php

All this page contains is a bunch of functions that get called on other pages. So, I am asking if I need to have

require 'functions/authentication.php';
isLoggedIn();

Open in new window


on the actual otherFunctions.php page or can a user do nothing with this page by typing its url directly into the browser?
0
 
Dan CraciunIT ConsultantCommented:
That page should not be available to the user.
Normally the includes are in a folder that is not public and not browseable.

HTH,
Dan
1
 
Ray PaseurCommented:
otherFunctions.php contains ONLY php functions...
There are two answers here.

First answer (narrow and accurate):  A script that contains nothing but PHP function definitions and performs no actions at all is a large "no-op" receiving no input, creating no output, and having no effect on the state of the client or server.  It doesn't matter whether it is password-protected or not -- the "page" doesn't do anything.

Second answer (broad and more "real world"):  What Dan said.  This is a fairly standard design pattern that you will find in most frameworks.  The code fragments like functions.php are either located somewhere that is outside of the WWW root, or are restricted by .htaccess, or are started with some kind of code that disallows direct browsing.  CodeIgniter uses a statement like this to make sure that all routing comes through index.php
<?php defined('BASEPATH') or exit('No direct script access allowed');

Open in new window

So if it doesn't matter, why do it?  Because it is considered a good design (and security) practice to keep things as separated and isolated as possible, sharing as little scope as possible.  This minimizes the risk of spooky action at a distance.  Look around for articles about object-oriented design principles, particularly Separation of Concerns, and you'll find more of the current thinking about this topic.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now