SESSION.html

<!DOCTYPE html>
<html lang="" xml:lang="">
<head>

  <meta charset="utf-8" />
  <meta http-equiv="X-UA-Compatible" content="IE=edge" />
  <title>8 SESSION | PHP For The Web: Enough to be Dangerous</title>
  <meta name="description" content="A primer on PHP with an emphasis on building for the web." />
  <meta name="generator" content="bookdown 0.25 and GitBook 2.6.7" />

  <meta property="og:title" content="8 SESSION | PHP For The Web: Enough to be Dangerous" />
  <meta property="og:type" content="book" />
  
  <meta property="og:description" content="A primer on PHP with an emphasis on building for the web." />
  

  <meta name="twitter:card" content="summary" />
  <meta name="twitter:title" content="8 SESSION | PHP For The Web: Enough to be Dangerous" />
  
  <meta name="twitter:description" content="A primer on PHP with an emphasis on building for the web." />
  

<meta name="author" content="Bryan Hoffman" />


<meta name="date" content="2022-01-01" />

  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="apple-mobile-web-app-capable" content="yes" />
  <meta name="apple-mobile-web-app-status-bar-style" content="black" />
  
  
<link rel="prev" href="Forms-and-Files.html"/>
<link rel="next" href="Next.html"/>
<script src="libs/jquery-3.6.0/jquery-3.6.0.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/fuse.js@6.4.6/dist/fuse.min.js"></script>
<link href="libs/gitbook-2.6.7/css/style.css" rel="stylesheet" />
<link href="libs/gitbook-2.6.7/css/plugin-table.css" rel="stylesheet" />
<link href="libs/gitbook-2.6.7/css/plugin-bookdown.css" rel="stylesheet" />
<link href="libs/gitbook-2.6.7/css/plugin-highlight.css" rel="stylesheet" />
<link href="libs/gitbook-2.6.7/css/plugin-search.css" rel="stylesheet" />
<link href="libs/gitbook-2.6.7/css/plugin-fontsettings.css" rel="stylesheet" />
<link href="libs/gitbook-2.6.7/css/plugin-clipboard.css" rel="stylesheet" />








<link href="libs/anchor-sections-1.1.0/anchor-sections.css" rel="stylesheet" />
<link href="libs/anchor-sections-1.1.0/anchor-sections-hash.css" rel="stylesheet" />
<script src="libs/anchor-sections-1.1.0/anchor-sections.js"></script>




<link rel="stylesheet" href="style.css" type="text/css" />
</head>

<body>



  <div class="book without-animation with-summary font-size-2 font-family-1" data-basepath=".">

    <div class="book-summary">
      <nav role="navigation">

<ul class="summary">
<li><a href="./">PHP For The Web</a></li>

<li class="divider"></li>
<li class="chapter" data-level="1" data-path="index.html"><a href="index.html"><i class="fa fa-check"></i><b>1</b> Introduction and Prerequisites<span></span></a></li>
<li class="chapter" data-level="2" data-path="printing.html"><a href="printing.html"><i class="fa fa-check"></i><b>2</b> Printing in the Terminal and on the Web<span></span></a></li>
<li class="chapter" data-level="3" data-path="branching.html"><a href="branching.html"><i class="fa fa-check"></i><b>3</b> Branching and Conditionals<span></span></a></li>
<li class="chapter" data-level="4" data-path="loops.html"><a href="loops.html"><i class="fa fa-check"></i><b>4</b> Loops<span></span></a></li>
<li class="chapter" data-level="5" data-path="functions-and-recursion.html"><a href="functions-and-recursion.html"><i class="fa fa-check"></i><b>5</b> Functions and Recursion<span></span></a></li>
<li class="chapter" data-level="6" data-path="GET.html"><a href="GET.html"><i class="fa fa-check"></i><b>6</b> HTTP GET Variables<span></span></a></li>
<li class="chapter" data-level="7" data-path="Forms-and-Files.html"><a href="Forms-and-Files.html"><i class="fa fa-check"></i><b>7</b> Forms and Files<span></span></a></li>
<li class="chapter" data-level="8" data-path="SESSION.html"><a href="SESSION.html"><i class="fa fa-check"></i><b>8</b> SESSION<span></span></a></li>
<li class="chapter" data-level="9" data-path="Next.html"><a href="Next.html"><i class="fa fa-check"></i><b>9</b> What Next?<span></span></a></li>
</ul>

      </nav>
    </div>

    <div class="book-body">
      <div class="body-inner">
        <div class="book-header" role="navigation">
          <h1>
            <i class="fa fa-circle-o-notch fa-spin"></i><a href="./">PHP For The Web: Enough to be Dangerous</a>
          </h1>
        </div>

        <div class="page-wrapper" tabindex="-1" role="main">
          <div class="page-inner">

            <section class="normal" id="section-">
<div id="SESSION" class="section level1 hasAnchor" number="8">
<h1><span class="header-section-number">8</span> SESSION<a href="SESSION.html#SESSION" class="anchor-section" aria-label="Anchor link to header"></a></h1>
<p>We don’t want just anyone to be able to come along and edit our blog. Let’s make an effort to protect it. In this effort, we will encounter another super global “$_SESSION[]” along the way. We’ll be pretending this is secure. In “real world” applications, it’s best to go with an established method and not reinvent the wheel yourself. But, for us right now, reinventing the wheel might prove to be an enlightening experience!</p>
<p>So, what’s this “$_SESSION” super global do? It holds information about the user and their session with the server. This is where you might find a username or perhaps time zone details and other personal settings.</p>
<p>We’ll create a session in one line at the top of index.php and then store “true” in “$_SESSION[‘authenticated’]” when the client proves they know a secret pin. We should take care to hide the “edit mode” from users who aren’t logged-in. For a user who wants to log in, navigating to edit mode will prompt them for the pin. It’s not the best security method, but this method of security by obscurity does work. Keep the sensitive details out of sight. Why advertise your log in
portal with a link from your navigation bar? Users who are in the know, will know to navigate to the log in page, no need to post it publicly!</p>
<p>Here’s our updated code:</p>
<pre><code>&lt;?php

// start a session
session_start();

// super secret not very secure pin
$secret_pin = &quot;123456&quot;;

// Check if the secret pin form was submitted
if(!empty($_POST[&quot;pin&quot;])) {
    // check pin for correctness
    if($_POST[&quot;pin&quot;] == $secret_pin){
        // set clients status to authenticated
        $_SESSION[&#39;authenticated&#39;] = true;
    }
}

// If the form was submitted write changes to file
if(!empty($_POST[&quot;text&quot;])) {
    // file_put_contentes writes to file
    file_put_contents(&#39;index.html&#39;,$_POST[&quot;text&quot;]);
}

if(isset($_GET[&#39;edit&#39;])) {
    // check for auth
    if(isset($_SESSION[&#39;authenticated&#39;])) {
        // file_get_contents reads from file
        $file_contents = file_get_contents(&#39;index.html&#39;);
        // echo our form elements with $file_contents in the textarea
        echo &#39;&lt;form method=&quot;post&quot; action=&quot;index.php&quot;&gt;&#39;;
        echo &#39;&lt;textarea id=&quot;text&quot; name=&quot;text&quot;&gt;&#39;;
        echo $file_contents;
        echo &#39;&lt;/textarea&gt;&#39;;
        echo &#39;&lt;input type=&quot;submit&quot; value=&quot;submit&quot;&gt;&#39;;
        echo &#39;&lt;/form&gt;&#39;;
    } else {
        // if not authenticated
        // echo our form elements with $file_contents in the textarea
        echo &#39;&lt;form method=&quot;post&quot; action=&quot;index.php&quot;&gt;&#39;;
        echo &#39;&lt;input type=&quot;text&quot; name=&quot;pin&quot;&gt;&#39;;
        echo &#39;&lt;input type=&quot;submit&quot; value=&quot;submit&quot;&gt;&#39;;
        echo &#39;&lt;/form&gt;&#39;;
    }
} else {
    // render index.html
    require(&#39;index.html&#39;);
    // link to access edit mode only show to authenticated users
    if(isset($_SESSION[&#39;authenticated&#39;])) {
        echo &#39;&lt;a href=&quot;/?edit=true&quot;&gt;Edit&lt;/a&gt;&#39;;
    }
}</code></pre>
<p>Serve your web application by running: <code>&gt;php -S localhost:8080 index.php</code></p>
<p>Navigate to <a href="http://localhost:8080?edit" class="uri">http://localhost:8080?edit</a> to log in. That’s it! We’ve somewhat secured the simple blog we made in the last chapter. By no means is this secure-secure, but it is at least better than nothing!</p>
<p>Exercises:</p>
<ol style="list-style-type: decimal">
<li><p>A PHP file might be revealed by the browser in certain circumstances. For example, forget an opening “&lt;?php” and a chunk of code might show up in the browser. To prevent this from ever happening with “$secret_pin”, try to isolate that code in another file and load it into index.php instead.</p></li>
<li><p>Imagine you shared this simple blog with a friend and they were making edits at the same time as you. What kind of errors could happen as a result? How might you prevent those errors?</p></li>
</ol>

</div>
            </section>

          </div>
        </div>
      </div>
<a href="Forms-and-Files.html" class="navigation navigation-prev " aria-label="Previous page"><i class="fa fa-angle-left"></i></a>
<a href="Next.html" class="navigation navigation-next " aria-label="Next page"><i class="fa fa-angle-right"></i></a>
    </div>
  </div>
<script src="libs/gitbook-2.6.7/js/app.min.js"></script>
<script src="libs/gitbook-2.6.7/js/clipboard.min.js"></script>
<script src="libs/gitbook-2.6.7/js/plugin-search.js"></script>
<script src="libs/gitbook-2.6.7/js/plugin-sharing.js"></script>
<script src="libs/gitbook-2.6.7/js/plugin-fontsettings.js"></script>
<script src="libs/gitbook-2.6.7/js/plugin-bookdown.js"></script>
<script src="libs/gitbook-2.6.7/js/jquery.highlight.js"></script>
<script src="libs/gitbook-2.6.7/js/plugin-clipboard.js"></script>
<script>
gitbook.require(["gitbook"], function(gitbook) {
gitbook.start({
"sharing": {
"github": false,
"facebook": true,
"twitter": true,
"linkedin": false,
"weibo": false,
"instapaper": false,
"vk": false,
"whatsapp": false,
"all": ["facebook", "twitter", "linkedin", "weibo", "instapaper"]
},
"fontsettings": {
"theme": "white",
"family": "sans",
"size": 2
},
"edit": {
"link": null,
"text": null
},
"history": {
"link": null,
"text": null
},
"view": {
"link": null,
"text": null
},
"download": ["PHP For The Web: Enough to be Dangerous by Bryan Hoffman.pdf"],
"search": {
"engine": "fuse",
"options": null
},
"toc": {
"collapse": "subsection"
}
});
});
</script>

</body>

</html>