0

First of all I am developing a mobile application using phonegap / cordova so this is the reason I am looking to go this route.

I am wondering is it possible to get session status from php into javascript as I'm looking to secure my whole application to users only.

The php I have is as follows;

<?php

$dbhost = '';
$dbuser = '';
$dbpass = '';
$db = '';
$tbl_name=""; 

$conn = mysql_connect($dbhost,$dbuser,$dbpass);
mysql_select_db($db);

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$encrypt_password=md5($mypassword);

$myusername = stripslashes($myusername);
$mypassword = stripslashes($encrypt_password);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($encrypt_password);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){

    session_register("myusername");
    session_register("mypassword");
    session_start();
    $_SESSION["Login"] = "YES";
    header("location:login_success.html");
    echo $_SESSION['data'];
}
else {
    session_start();
    $_SESSION["Login"] = "NO";
    echo $_SESSION['data'];
}

?>

and the html file contains the following javascript

<script>$.get('checklogin.php', function(data) {
                if (data != "YES"){
                        window.location.replace("http://aam.prettypottery.ie/index.html");
                                    }
        });</script>

I think I am close, only everytime I try to look at any of my html pages, they're all sending me back to the index.html.

Any help would be great. Thanks

Improve this question
1
  • As pid mentions this will not be a very secure technique. For example, I could simply turn off javascript, or run my own script to circumvent yours. This is client side validation.. never trust the client Commented Feb 18, 2014 at 15:24

1 Answer 1

Reset to default
2

Yes, it looks like you are close. But the other way around.

If security is of any importance to you, you should take into account this:

  • it's not the browser's responsibility to decide if a user is authorized and a page accessible;
  • the server should redirect if a reserved page is accessed with insufficient athorization (not logged in);
  • the $.get('checklogin.php', function(data) { shouldn't be there at all, this should be done server-side (in PHP);
  • your query $sql="SELECT * FROM $tbl_name WHERE ... is still vulnerable, at least use PDO;
  • passwords are hashed (not encrypted) with MD5 which may suffice for your site, but generally use salting and stronger hashes (SHA1 at least);
  • don't just test the result count but actually obtain some info from the DB and use that to authenticate.

Something like this:

SELECT username FROM accounts WHERE ...

and this:

$authenticated = strcasecmp($username, $resulting_username) === 0;

To solve your problem right now, you would have to render in PHP at least a variable that tells the Javascript code to redirect. Something like this.

In HTML/PHP:

<script>
  if (<?php echo ($authenticated ? 'true' : 'false'); ?>)
  {
    alert("Good boy!");
  } else {
    alert("Bad Trudy is bad!");
  }
</script>

Producing this HTML result:

<script>
  if (true)
  {
    alert("Good boy!");
  } else {
    alert("Bad Trudy is bad!");
  }
</script>

It suffices to deactivate Javascript and the page will not react at all to this code and display its content without any hinderance.

Links:

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I will certainly look at security issues in more depth but but for the moment, working with Phonegap, how else would you propose I protect my pages to restrict to only users for after they register / login?
I have added some more explanation on how to render a PHP variable inside your JS code so you can react client-side. Still, it makes puppies cry :)
Cheers pid. After considering the puppies more, how would you feel about a HTTP header? I'm trying to read up on those as an alternative but of course, it doesn't seem too straight forward. In your opinion, am I going the right direction or wasting my time? Thanks again
You mean when the server sees you are not authenticated it redirects you to the login? SURE! That's exactly what you should do.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.