Solved

Is it necessary to have authentication controls on function pages?

Posted on 2016-11-27
4
20 Views
Last Modified: 2016-11-27
On my admin pages I have this:

require 'functions/authentication.php';
isLoggedIn();

Open in new window


This just has some code to verify that the user is logged in and to redirect them if not.

I want to have some other functions on the page as well so let' say the above code changes to:

require 'functions/authentication.php';
require 'functions/otherFunctions.php';
isLoggedIn();
someOtherFunction();

Open in new window


If otherFunctions.php contains ONLY php functions, do I need to also add the isLoggedIn() function to otherFunctions.php?

I just ask because if you type in the path to the otherFunctions.php in the url, it displays the page. It doesn't show anything but the page can be accessed. I just wanted to know if that is a major security problem or not?
0
Comment
Question by:Black Sulfur
4 Comments
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 50 total points
Comment Utility
I would probably write it this way so that the auth check is done before the client is able to do anything.  I'm assuming the 'isLoggedIn()' function redirects them to a login page if they are not logged in.  I have some included/required pages that look for a $_SESSION variable to be set and exit if it isn't.
require 'functions/authentication.php';
isLoggedIn();
require 'functions/otherFunctions.php';
someOtherFunction();

Open in new window

0
 

Author Comment

by:Black Sulfur
Comment Utility
Yeah, it redirects them to a login page if they aren't logged in. But, what I mean is I can view the function page in a url:

www.mysite.com/functions/otherFunctions.php

All this page contains is a bunch of functions that get called on other pages. So, I am asking if I need to have

require 'functions/authentication.php';
isLoggedIn();

Open in new window


on the actual otherFunctions.php page or can a user do nothing with this page by typing its url directly into the browser?
0
 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 150 total points
Comment Utility
That page should not be available to the user.
Normally the includes are in a folder that is not public and not browseable.

HTH,
Dan
1
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 300 total points
Comment Utility
otherFunctions.php contains ONLY php functions...
There are two answers here.

First answer (narrow and accurate):  A script that contains nothing but PHP function definitions and performs no actions at all is a large "no-op" receiving no input, creating no output, and having no effect on the state of the client or server.  It doesn't matter whether it is password-protected or not -- the "page" doesn't do anything.

Second answer (broad and more "real world"):  What Dan said.  This is a fairly standard design pattern that you will find in most frameworks.  The code fragments like functions.php are either located somewhere that is outside of the WWW root, or are restricted by .htaccess, or are started with some kind of code that disallows direct browsing.  CodeIgniter uses a statement like this to make sure that all routing comes through index.php
<?php defined('BASEPATH') or exit('No direct script access allowed');

Open in new window

So if it doesn't matter, why do it?  Because it is considered a good design (and security) practice to keep things as separated and isolated as possible, sharing as little scope as possible.  This minimizes the risk of spooky action at a distance.  Look around for articles about object-oriented design principles, particularly Separation of Concerns, and you'll find more of the current thinking about this topic.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
How to Insert a File Using Text Editor 9 51
First name pregmatch 11 29
Button Click 11 24
session dropped in IE 10 19
Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now