Help with Sessions and Authentication

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
johnbran
Forum Newbie
Posts: 17
Joined: Tue Jul 16, 2002 8:18 pm

Help with Sessions and Authentication

Post by johnbran »

I have an authorization form where users type in their userid and password. The following code works fine for logins but when I try to access the protected pages...see even more code way below...the page isn't protected. Any ideas?

Code: Select all

<?php

include "./commonwebloan_db.inc";
$register_script="./register.php";


function auth_user($wu_Username, $wu_Userpassword) &#123;
	global $odbc_dsn;
	global $odbc_userid;
	global $odbc_password;
	global $user_tablename;
	global $PHP_SELF;
	global $wu_FullName;
	global $wu_Username;
	global $wu_Userpassword;
	global $Rate_Class_Id;



	$odbc_db=odbc_connect($odbc_dsn, $odbc_userid, $odbc_password); 
	
	$query="SELECT wu_FullName, Rate_Class_Id FROM $user_tablename 	WHERE wu_Username='$wu_Username'
AND wu_Userpassword='$wu_Userpassword'";

if(!($odbc_rs=odbc_do($odbc_db, $query)))
	die ("Error executing query $query");

	$num_cols=odbc_num_fields($odbc_rs);
	if($num_cols < 1) return 0;

else&#123;
$wu_FullName=odbc_result($odbc_rs, 1);
$Rate_Class_Id=odbc_result($odbc_rs, 2);
&#125;
&#125;


function login_form() &#123;
	global $PHP_SELF;
	global $wu_FullName;
	global $wu_Username;
	global $wu_Userpassword;
	global $Rate_Class_Id;
?>

<HTML>
<HEAD>
<TITLE>Login</TITLE>
</HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<? echo $PHP_SELF ?>">
<DIV ALIGN="CENTER"><CENTER>
<H3>Please log in to access rates editing.</H3>
<TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
<TR>
<TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>UserName</TH>
<TD WIDTH="82%" NOWRAP>
<INPUT TYPE="TEXT" NAME="wu_Username" SIZE="8">
</TD>
</TR>
<TR>
<TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
<TD WIDTH="82%" NOWRAP>
<INPUT TYPE="PASSWORD" NAME="wu_Userpassword" SIZE="8">
</TD>
</TR>
<TR>
<TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
<INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
</TD>
</TR>
</TABLE>
</CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?
&#125;


session_start();
if(!isset($wu_Username))&#123;
	login_form();
	exit;
&#125;
else&#123;
$odbc_db=odbc_connect($odbc_dsn, $odbc_userid, $odbc_password); 
	
	$query="SELECT wu_FullName, Rate_Class_Id FROM $user_tablename WHERE wu_Username='$wu_Username'		AND wu_Userpassword='$wu_Userpassword'";

if(!($odbc_rs=odbc_do($odbc_db, $query)))
	die ("Error executing query $query");
$wu_FullName=odbc_result($odbc_rs, 1);
$Rate_Class_Id=odbc_result($odbc_rs, 2);


session_register("wu_Username","wu_Userpassword", "wu_FullName", "Rate_Class_Id");


if(!$wu_FullName)&#123;
	session_unregister("wu_Username");
	session_unregister("wu_Userpassword");
	session_unregister("wu_FullName");
	session_unregister("Rate_Class_Id");

echo "Authorization failed. " .
"You must enter a valid userid and password combination. " .
"Click on the following link to try again.<BR>\n";
echo "<A HREF="$PHP_SELF">Login</A><BR>";
echo "If you're not a user yet, contact " .
"BS to register.<BR>\n";


exit;
&#125;
else echo "Welcome, $wu_FullName! from $Rate_Class_Id <br>";
echo "<A HREF="logout.php">Log Out</A><BR>";

&#125;
?>

After the user logins in successfully and if he attempts to access a page that has the following code at the top they should not be allowed access if their Dept isn't RE but all users are able to access this page regardless of the Dept name. What am I doing wrong?

Code: Select all

<?php
@session_start();
if(session_is_registered("wu_FullName"))
if($Rate_Class_Id=='RE')&#123;
echo "<p>You are logged in as $wu_FullName $Rate_Class_Id.</p>";
echo "<p>Members only content goes here</p>";&#125;
else
&#123;
echo "<p>You are not logged in or you are not a part of the RE department.</p>";
echo "<p>Only logged in RE members may see this page.</p>";
&#125;
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

The first thing to try would be putting session_start() right at the top of the login page.

Mac
User avatar
musashi
Forum Commoner
Posts: 39
Joined: Tue Jul 23, 2002 12:51 pm
Location: Santa Cruz - CA

A couple of things

Post by musashi »

I agree with placing the session_start at the top. A more confusing aspect is the fact that the condition: if($Rate_Class_Id=='RE') seems to be true. Just as a quick test, I would suggest echoing the $Rate_Class_Id before the conditions just for visual confirmation.

One theory (if $Rate_Class_Id is indeed RE) is that during your testing of your script, a cookie was placed on your system identifying the session you are associated with. If the session_id pointed to a session where $Rate_Class_Id is indeed RE, you might be submitting an old cookie. This can easily be corrected by closeing the browser, and opening it up again.

Another thing to check would be the origin of the $Rate_Class_Id. You might have register_globals turned on, which could mean the $Rate_Class_Id is not actually a session variable.

Finally, is the page being displayed actually stating "You are logged in as..."? Your "if" statements seem a little off... you have

if(blah)
if(foo) {}
else {}
...

if I remember my parser knowledge correctly, the first "if" statement will contain (without surrounding brackets) the next "statement" following it. Since an "if-else" situation is consider a single statement, the "if(blah)" will evaluate and (if blah is false), move on to "...". It will not execute the "else" section since that is with the "if(foo)" condition. The solution is to do the following "if(blah && foo)" instead of the two "if" conditions. Since PHP is an LR parser (I believe) if "blah" is false, "foo" will not be evaluated. The reason I bring this up is your code has an echo that says "You are not logged in or you are not a part of the RE department." When the code will actually not evalutate that way. Currently this will only be seen if they ARE logged in, but are not part of the RE department.
johnbran
Forum Newbie
Posts: 17
Joined: Tue Jul 16, 2002 8:18 pm

Post by johnbran »

Thank you soooo much for taking the time to respond to my post. Your status says you're a newbie...you seem so experienced....Hopefully I'll be that good soon. But I just got started with PHP about a month ago....Having big problems!!!! :cry:

I reviewed your suggestions carefully and they all have merit. However, I have checked them all out and it doesn't appear that they apply in my specific situation. BTW, I do have register_globals turned on, removed the erroneous If statement, tried opening/closing browser, and I tried putting session_start() at the beginning...No change!

As you suggested, I am echoing out $Rate_Class_Id and it is indeed 'RE'. Therefore I am allowed access to the page. However, when $Rate_Class_Id is 'LN' I am still allowed access to the page even though it is plainly echoed out that it's LN. This is so confusing. I have been working on this piece since last week.

Today I have tried the following code for my login form: It appears that my if statement is being ignored....If($ValidDept=='RE')

Code: Select all

<?php

function login_form() &#123;
	global $PHP_SELF;
?>

<HTML code here for form>

<?php
&#125;

if(!isset($wu_Username))&#123;
	login_form();
	exit;
&#125;
else&#123;

session_register("wu_Username","wu_Userpassword", "wu_FullName", "Rate_Class_Id", "ValidDept");

	$odbc_db=odbc_connect($odbc_dsn, $odbc_userid, $odbc_password); 
	
	$query="SELECT wu_FullName, Rate_Class_Id FROM $user_tablename WHERE wu_Username='$wu_Username'
AND wu_Userpassword='$wu_Userpassword'";

if(!($odbc_rs=odbc_do($odbc_db, $query)))
	die ("Error executing query $query");

$wu_FullName=odbc_result($odbc_rs, 1);
$Rate_Class_Id=odbc_result($odbc_rs, 2);
$ValidDept=$Rate_Class_Id;

if($ValidDept=='RE')&#123;
session_unregister("ValidDept");
&#125;

if(!$wu_FullName)&#123;
	session_unset();

echo "Authorization failed. "; 
exit;
&#125;

else echo "Welcome, $wu_FullName! from $ValidDept <br>";
&#125;
?>
And the code for the page I would like to protect has the following code at the top of the page

Code: Select all

<?php

@session_start();
if(session_is_registered("ValidDept"))&#123;
echo "<p>You are logged in as $wu_FullName $ValidDept.</p>";
echo " Login is: $wu_Username, Name is: $wu_FullName, Password is: $wu_Userpassword, Dept is: $ValidDept";
echo "The contect of \$ValidDept is $ValidDept<br>";
echo "The contect of \$Rate_Class_Id is $Rate_Class_Id<br>";

<HTML code here>

else
&#123;
echo " Login is: $wu_Username, Name is: $wu_FullName, Password is: $wu_Userpassword, Dept is: 

$ValidDept";
echo "<p>You are not logged in or you are not a part of the RE department.</p>";
echo "<p>Only logged in RE members may see this page.</p>";
&#125;



Does any of this make sense to anyone! Because it surely doesn't to me. Basically I need the protected page to disallow access if $Rate_Class_Id is not = RE....and for some reason it allows everyone access regardless of $Rate_Class_Id...what am I doing wrong?
User avatar
musashi
Forum Commoner
Posts: 39
Joined: Tue Jul 23, 2002 12:51 pm
Location: Santa Cruz - CA

Some more ideas

Post by musashi »

Wow, thanks for the compliments! :D

One thing I noticed in your code:

Code: Select all

if($ValidDept=='RE')&#123; 
session_unregister("ValidDept"); 
&#125;
You have the session variable ValidDept being unregistered if it is equal to RE. This would mean that if it isn't equal to RE, the ValidDept variable will persist, and the next page where you check:

Code: Select all

if(session_is_registered("ValidDept"))&#123;
would then let any non RE department through. I would also suggest doing your comparison a little differently. Try if(eregi("RE",$ValidDept)) It sounds odd, and I can't remember if PHP cares about the difference between ' and ", but some languages do.
User avatar
llimllib
Moderator
Posts: 466
Joined: Mon Jul 01, 2002 2:19 pm
Location: Baltimore, MD

Post by llimllib »

I'll second Musashi's recommendation, as I've experienced some weirdness with the == for string comparison in PHP. I recommend stricmp() for simple comparison, and eregi() for more complex.
johnbran
Forum Newbie
Posts: 17
Joined: Tue Jul 16, 2002 8:18 pm

Post by johnbran »

Thank You sooo much! I implemented your suggestions and voila! All is well!

This board has saved my butt again! I create database applications; therefore I have very limited web knowledge and zero php/asp, server-side scripting knowledge. About a month ago I was given a PHP book and was asked to create database-driven webpages...basically I was aked to perform miracles. Because all of the books out there are for MySQL and I'm using MS-SQL. But I am happy to say that thanks to this board I have been able to actually perform miracles. Again...thank you! :P
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Your status says you're a newbie...you seem so experienced....
Don't be fooled by the status under people's names, all that means is that they are new to this forum - it doesn't take into account anybody's actual experience with PHP.

Info about user definitions:
http://www.devnetwork.net/forums/viewtopic.php?t=368

Just wanted to get rid of the confusion, some of our newbies are blatantly very experienced :) .

Mac
Post Reply