0

I have the following code snippet in php

if($userName==$dbUserName&&md5($passWord)==$dbPassWord){

            echo "<input name='username' type='hidden' value='$userName'>";
            header('Location: http://localhost:8080/ClientModule/student.jsp');
            die();

        }

the php redirects to the following jsp

<%@page contentType="text/html" pageEncoding="UTF-8" errorPage="error.jsp"%>
<%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@taglib uri="http://java.sun.com/jsp/jstl/sql" prefix="sql"%>

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Student Home</title>
    </head>
    <body>
        <h1>
            Logged in as: ${param.username}
        </h1>
        <nav>
            <p><a href="student.jsp">Home</a></p>
            <p><a href="profile.jsp">Profile</a></p>
            <p><a href="tutorList.jsp">Teachers</a></p> 
            <p><a href="studentNotifs.jsp">Notifications</a></p> 
        </nav>
    </body>
</html>

I must have done something wrong in the php file, can someone help me spot it? Any help is much appreciated

Jer Yango
  • 582
  • 2
  • 8
  • 22

1 Answers1

0

When you do this:

        header('Location: http://localhost:8080/ClientModule/student.jsp');

The browser simply does a GET request to the specified URL. The form field you echo out on the line above is not included in this request. In stead, what you want is something like this:

        header('Location: http://localhost:8080/ClientModule/student.jsp?username='.$userName);
Nico
  • 2,645
  • 19
  • 25
  • according to my professor this approach can easily be tricked. since the parameter is easily seen in the url, a user can simply change the value to pretend to be another user. As far as I'm concerned there has to be something to prevent that, but there may be some better approaches. – Jer Yango Mar 09 '14 at 11:15
  • Right, so with this approach, I could log in as anyone just by changing the URL. There is no way to send data to the server that can't be intercepted on the way, regardless of whether the data is visible in the URL or not. In order to fix this you have to use something that only the server can know in order to authenticate users. If you were using PHP only you could do this with a session, but when you're mixing PHP and JSP it's a little trickier. – Nico Mar 09 '14 at 11:21
  • You might want to look into methods of doing user authentication, for example http://stackoverflow.com/questions/1624846/php-best-practices-for-user-authentication-and-password-security – Nico Mar 09 '14 at 11:24
  • That is true. I've been trying cookies also for this matter. Apparently there is a difference on how php and jsp sets and gets cookies which is another problem – Jer Yango Mar 09 '14 at 11:31
  • Cookies are standardized, so there should not be any issues with passing cookies between PHP and JSP. However, cookies are sent along with the request in plain text just like any other data, so the issue remains the same: If you let users log in simply by specifying their user name, your site will be extremely easy to hack. – Nico Mar 09 '14 at 11:34
  • It sounds like you should ask a different question :) – Nico Mar 09 '14 at 11:35
  • The authentication comes with a password as well, its just that i need to pass the username to the other pages to be able to display the correct information. – Jer Yango Mar 09 '14 at 11:50
  • If you go directly to http://localhost:8080/ClientModule/student.jsp?username=Admin, you will be authenticated as Admin. So the way you're doing it now it's actually not necessary to know the password to authenticate. You only need to know a valid user name. Like I said, you probably should be looking for info on user authentication. This question has been answered. – Nico Mar 09 '14 at 11:55