[Tfug] PHP + Following Links

[Adrian]

On Thursday 15 February 2007 23:01, Christopher Robbins wrote:
> I've moved our old content management system from old server to a shiny,
> super-fast dual-Xeon server running openSUSE 10.2
> 
> For some dumb reason, our login system fails.  One is able to login and see
> the first screen you see after login, but everything else after
> that kicks out to the login screen.  I'm a bit confused and wondering if
> there's a setting I missed in the php config somewhere.  I'd
> offer more info, but it was a custom setup and getting in touch with the
> vendor is...unpossible.
> 

Can you atleast look at the PHP source code for the pages or is it compiled? 
My first guess would be that it is a PHP server config difference... probably 
something like the app requires/was built to use "register_globals=yes". The 
register_globals option is now off by default as it presents a major security 
hazard. See as example:
http://www.onlamp.com/pub/a/php/2003/03/20/php_security.html#step3

This may be something like the app assigns a variable uid=<long alphanum> and 
puts it in every form/URL generated as a hidden input to track/link the user 
response back. But instead of doing a $_POST['uid'] or $_GET['uid'] as 
appropriate and doing the long:
  if(isset($_POST['uid'])){
    $response_uid = $_POST['uid'];
  }elseif(isset($_GET['uid'])){
    $response_uid = $_GET['uid'];
  }

the programmer instead just took a shortcut and set register_globals:
  $response_uid = $uid;

Continuing on my first guess... I would think that every page, other than the 
login and index pages, would do a if(!valid_user($uid)){<redirect to login>} 
type of check first thing to see if the user has authenticated, and if not 
kick them out/to a login page without processing anything else. So locating 
that function in a page, then tracking it back and debuging it's logic would 
be my first step.

Adrian