Simple PHP Login Systems and PHP Header – Break them with cURL

Most of the simple, free PHP scripts out there for user login systems have several large flaws in them, and I’ll admit that my earliest sites weren’t safe from what I’m going through today.

cURL is a valuable tool for any PHP developer and has extremely useful applications, one of which is logging into remote sites to post forms. This illustrates a flaw with many sites in that they user header redirects (as shown below) in their login systems to keep people away from pages they shouldn’t see, and log them in and out.

if ($_SESSION['logged'] != 1) {
header("Location: login.php");
}

That very simple bit of code checks to see whether a session has been found where logged = 1. If it doesn’t find one then it will redirect the user to login.php without showing them the page.

The problem here is that header location ONLY works when it’s the first thing on a page, otherwise you’ll see an error and then the rest of the page we shouldn’t be seeing – which is what happens with a cURL request. This means the header location redirect doesn’t work and anyone can grab your “protected” page easily and quickly without logging in.

To solve this quickly (without changing your basic login script at all) make sure you have failsafes! The most simple would be to add a die statement as below so that if your redirect fails, they won’t get to see your private page.

if ($_SESSION['logged'] != 1) {
header("Location: login.php") or die("Please <a href='login.php'>login</a> before accessing this page.");
}

Very simple stuff, but there’s lots of sites without it.