vaviles
|
| Posted: 02/22/2002, 11:39 AM |
|
Hello:
I have two applications running on the same webserver server, both are using login security, but if a user logs to one, it automatically has access to the other one and I want to prevent it. Is there a way to do that? My env is apache, php and oracle.
Thanks !
|
|
|
 |
AudiTT @ MCI
|
| Posted: 02/22/2002, 2:57 PM |
|
Take and add a new field to your data base like so.
UserID UserName Password SecLev
Make it like this..
UserID UserName Password App1 App2 App3... etc..
Make a diffrent field for the security level for each.. even if you only have 1 level, this will change the Seesion information and force a login between applications..
This works for me in ASP / IIS / SQL, but the concept should be similar.
Bryan
|
|
|
|
v aviles
|
| Posted: 02/22/2002, 8:14 PM |
|
Thanks Bryan, it does not work under php. The two apps connect to two different oracle databases on two different servers using two different users. The structure for both tables is different, yet if you log to one app and then go back to an url from the other app you gain access.
I think though that you did make a good point which I had not considered, both UserID fields in the member tables of both databases are based on a sequence generated by a trigger <for an auto increment number>, both starting at the same number 1..2..3.. and so on, and I think that what is hapening is that validation for page access is being done on just the id alone therefore an id from one database will have access to a different page because they share the same id which is kind of security risk.
Thanks for your post, now I have to prove this theory....
--virgil
|
|
|
|
Ron Borkent
|
| Posted: 02/23/2002, 5:51 AM |
|
I think the best way is to do a custum login. First create a login table with more then just the login fields from CC. For example:
login
password
level
domain
Then with custom login create session variable of domain:
//-------------------------------
$sLogin = get_param("Login");
$sPassword = get_param("Password");
$db->query("SELECT login_id,security_level_id,domain FROM uslogin WHERE login =" . tosql($sLogin, "Text") . " AND pasword=" . tosql($sPassword, "Text"));
$is_passed = $db->next_record();
if($is_passed)
{
//-------------------------------
// Login and password passed
//-------------------------------
set_session("UserID", $db->f("login_id"));
set_session("UserRights", $db->f("security_level_id"));
//create session variable of the added domain
set_session("DomainRights", $db->f("domain"));
$sPage = get_param("ret_page");
if (strlen($sPage))
{
header("Location: " . $sPage);
exit;
}
else
{
header("Location: some_page.php");
exit;
}
}
In page event(custom security) do this:
//security level
check_security(2);
//check the added domain level, in this case ai
If(get_session("DomainRights") <> "ai")
{
session_unregister("UserId");
session_unregister("UserRights");
//redirect user to login page if not enough authorisation
header("Location: loginfail.php");
}
At the loginfail.php the user gets a message like your authorisation is not enough for the page you are trying to open. Please login.
The loginfail pages also gives the user the possibility to login again.
With this setup you theoretically secure each individual page with a different domain. within each domain you still have the three levels of security.
|
|
|
|
|
