Adding a sentinel page to my website

[Jamin2112]

I just started learning PHP yesterday and I'm not sure how to do what I'm trying to do.

I made, as a test page, this: http://jaminweb.com/sentinel.php

using a PHP captcha generator I got from GitHub and modified for my own usage. I'm going to use a slight hack so my index.html reroutes to sentinel.php ... This is necessary because my web hosting service requires an index.html. Anyhow, my goal is that, when and only when the captcha has been solved, access to all my other pages is allowed. That way someone can't shortcut by going to http://jaminweb.com/projects.html and bypassing the sentinel page.

How do I do this?

 

[mfb]

You can include a common header file everywhere that handles the captcha thing: store somewhere (cookie, session(, url), ...) that the user solved the captcha and check for this information for every loaded page. If "captcha solved" is not there, show the captcha instead of the actual page.

 

[Jamin2112]

You can include a common header file everywhere that handles the captcha thing: store somewhere (cookie, session(, url), ...) that the user solved the captcha and check for this information for every loaded page. If "captcha solved" is not there, show the captcha instead of the actual page.

I'll make an attempt at doing that.

 

[Jamin2112]

Yea, I've started adding

<?php
session_start();
if(!isset($_SESSION['captcha']) || $_SESSION['captcha'] != 1)
{
    header('Location: sentinel.php');
    exit;
}
?>

to the top of my pages and it seems to be working. I'll let you guy know about any problems I run into and can't figure out on my own.

 

[Jamin2112]

The captcha generator I'm using isn't working 100% of the time. Sometimes I'll type in the correct text and it will not accept it as correct. I'm trying to figure out why.

See if it works for you: www.jaminweb.com

Here's the source code for my sentinel page:

<!DOCTYPE html>
<!--
Captcha generator borrowed from here: https://gist.github.com/Swader/9050789
Source code modified for my usage 
All rights reserved to user Swader
-->
<html>
<head>
    <?php
    session_start();
    $_SESSION['captcha'] = 0;
    $_SESSION['count'] = time();
    $image;
    ?>
	<title>Sentinel page</title>
	<link href="style.css" rel="stylesheet" type="text/css">
	<script src="jsfunctions.js" type="text/javascript"></script>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
	<div id="logo_bubble">
		<span>J</span>
		<span>a</span>
		<span>m</span>
		<span>i</span>
		<span>n</span>
		<span>W</span>
		<span>E</span>
		<span>B</span>
	</div>
	<div class="header">
	    <p id="sentheader">00011101010000110101010</p>
	</div>
	<div class="maincontent">
	<h1>
		Welcome!
	</h1>
	<hr>
	<p>
		Before entering, I need to make sure you're human.  
	</p>
	<div id="questdiv">
	<?php
	$flag = 5;
	if (isset($_POST["flag"])) {
		$input = $_POST["input"];
		$flag = $_POST["flag"];
	}
	 
	if ($flag == 1) {
		if ($input == $_SESSION['captcha_string']) {
			?>
	 
			<div>
				<h3>Ok, you're probably human.</h3>
				<h3><a href="homepage.php">Enter JaminWEB</a></h3>
				<?php 
				    $_SESSION['captcha'] = 1;
				?>
	            <!--
				<form action=" <?php /* echo $_SERVER['PHP_SELF']; */ ?>" method="POST">
					<input type="submit" value="Enter Homepage" class="sentipt"\>
				</form>
				-->
			</div>
	 
		<?php
	 
		} else {
			?>
	 
			<div align="center">
				<h3><span style="color: #DF0101">Your answer is incorrect!</span> Please try again.</h3>
			</div>
	 
			<?php
			create_image();
			display();
		}
	} else {
		create_image();
		display();
	}
	 
	function display()
	{
		?>
	 
		<div>
		    <div align="center"><h3>Type in the text you see below.</h3></div>
			<div align="center"><img src="image<?php echo $_SESSION['count'] ?>.png" id="capimg" style="border: 0px"></div>
			<form action=" <?php echo $_SERVER['PHP_SELF']; ?>" method="POST"/ >
			<div align="center"><input type="text" name="input" id="sentipt" style="width: 300px;"/></div>
			<div align="center"><input type="hidden" name="flag" value="1" class="sentipt"/></div>
			
			<div align="center"><input type="submit" value="submit" name="submit" class="sentipt"/></div>
			</form>
            <!--  
			<form action=" <?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
				<input type="submit" value="refresh the page" class="sentipt"/>
			</form>
			-->
		</div>
	 
	<?php
	}
	 
	function  create_image()
	{
		global $image;
		$image = imagecreatetruecolor(200, 50) or die("Cannot Initialize new GD image stream");
	 
		$background_color = imagecolorallocate($image, 255, 255, 255);
		$text_color = imagecolorallocate($image, 180, 4, 4);
		$line_color = imagecolorallocate($image, 249, 198, 36);
		$pixel_color = imagecolorallocate($image, 180, 4, 4);
	 
		imagefilledrectangle($image, 0, 0, 200, 50, $background_color);
	 
		for ($i = 0; $i < 3; $i++) {
			imageline($image, 0, rand() % 50, 200, rand() % 50, $line_color);
		}
	 
		for ($i = 0; $i < 1000; $i++) {
			imagesetpixel($image, rand() % 200, rand() % 50, $pixel_color);
		}
	 
	 
		$letters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
		$len = strlen($letters);
		$letter = $letters[rand(0, $len - 1)];
	 
		$text_color = imagecolorallocate($image, 0, 0, 0);
		$word = "";
		for ($i = 0; $i < 6; $i++) {
			$letter = $letters[rand(0, $len - 1)];
			imagestring($image, 7, 5 + ($i * 30), 20, $letter, $text_color);
			$word .= $letter;
		}
		$_SESSION['captcha_string'] = $word;
	 
		$images = glob("*.png");
		foreach ($images as $image_to_delete) {
			@unlink($image_to_delete);
		}
		imagepng($image, "image" . $_SESSION['count'] . ".png");
	 
	}
	 
	?>
	</div>
	</div>
	<div class="footer">
		<p><span class="yellow_highlight">Last updated:</span> 04/02/2014</p>
	</div>
	<script type="text/javascript">
	    window.setInterval("set_head_bckgd()",200);
	</script>
</body>

</html>

Note that I copied some code from a GitHub page and modified it. I thought I had made sure not to modify anything that would affect the functionality of the captcha.

 

[mfb]

Functions in the middle of code that outputs something are confusing. And you shouldn't use Il O as letters as they can be misleading.
The first $letter = $letters[rand(0, $len - 1)]; is pointless.

Did you compare the stored word with the userinput as debug output? That would help to find the error.

 

[Oz Ramos]

session_start() has to come before any byte of HTML output. Move session_start() above the DOCTYPE declaration and you're golden.

 

[Jamin2112]

Functions in the middle of code that outputs something are confusing.

That's how this guy did it: https://gist.github.com/Swader/9050789

 

[Oz Ramos]

Oh I see how you might have mixed things up a little.

In HTML5, you don't technically need a <!doctype>, an <html> tag, a <head> tag, or even a <body> tag. The <title> tag is the only element that should be included in every document (I think this will fail W3C Validation), though again, this isn't a strict rule. In his example, he omits the doctype and <html>, and <head> tag completely which, again, is perfectly legal.

When you added it in above the session_start(), you actually had already written to the output stream (with the doctype and the <html>, and <head> tags). Because it's already been written to, you can't modify session variables, headers, and a few other things.

Note that even a space before the session_start() would prevent you from starting the session.

 

[Borek]

Note that even a space before the session_start() would prevent you from starting the session.

It is even worse - saving file as UTF-8 with BOM is enough to break whole thing.