PART II
Chapter 7: Security Concerns 311
header("Cache-Control: no-cache");
header("Pragma: no-cache");$user = "AjaxSession";
# password is hardcoded but you could retrieve it from DB or file
$password = md5("session");
if ($user == $_GET["username"] && $password == $_GET["password"])
{
$_SESSION["loggedin"] = true;
$_SESSION["username"] = $user;
print "valid";
}
else
{
if (isset($_SESSION["loggedin"]))
unset($_SESSION["loggedin"]);
print "invalid";
}
?>Back on the client, we can do the redirect or we could allow the server side to do it.function showResponse(response)
{
if (response.xhr.responseText == "valid")
document.location = "http://ajaxref.com/ch7/myprotectedpage.php";
else
{
var responseOutput = document.getElementById("responseOutput");
responseOutput.innerHTML = "<h3>Error:</h3>Invalid username and/or
password.";
}
}Do not assume that because the redirect was done client side that is a security issue. The
protected pages, as shown next, need to see the session value as referenced via the issued
session cookie as well, and if they do not, it will simply bounce them back to the login page.<?php
session_start();
if (!isset($_SESSION["loggedin"]))
header('Location:authenticationsession.html');
$username = $_SESSION["username"];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Protected page</title>
...snip...