Help with Sessions and Authentication
Posted: Mon Jul 22, 2002 7:01 pm
I have an authorization form where users type in their userid and password. The following code works fine for logins but when I try to access the protected pages...see even more code way below...the page isn't protected. Any ideas?
After the user logins in successfully and if he attempts to access a page that has the following code at the top they should not be allowed access if their Dept isn't RE but all users are able to access this page regardless of the Dept name. What am I doing wrong?
Code: Select all
<?php
include "./commonwebloan_db.inc";
$register_script="./register.php";
function auth_user($wu_Username, $wu_Userpassword) {
global $odbc_dsn;
global $odbc_userid;
global $odbc_password;
global $user_tablename;
global $PHP_SELF;
global $wu_FullName;
global $wu_Username;
global $wu_Userpassword;
global $Rate_Class_Id;
$odbc_db=odbc_connect($odbc_dsn, $odbc_userid, $odbc_password);
$query="SELECT wu_FullName, Rate_Class_Id FROM $user_tablename WHERE wu_Username='$wu_Username'
AND wu_Userpassword='$wu_Userpassword'";
if(!($odbc_rs=odbc_do($odbc_db, $query)))
die ("Error executing query $query");
$num_cols=odbc_num_fields($odbc_rs);
if($num_cols < 1) return 0;
else{
$wu_FullName=odbc_result($odbc_rs, 1);
$Rate_Class_Id=odbc_result($odbc_rs, 2);
}
}
function login_form() {
global $PHP_SELF;
global $wu_FullName;
global $wu_Username;
global $wu_Userpassword;
global $Rate_Class_Id;
?>
<HTML>
<HEAD>
<TITLE>Login</TITLE>
</HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<? echo $PHP_SELF ?>">
<DIV ALIGN="CENTER"><CENTER>
<H3>Please log in to access rates editing.</H3>
<TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
<TR>
<TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>UserName</TH>
<TD WIDTH="82%" NOWRAP>
<INPUT TYPE="TEXT" NAME="wu_Username" SIZE="8">
</TD>
</TR>
<TR>
<TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
<TD WIDTH="82%" NOWRAP>
<INPUT TYPE="PASSWORD" NAME="wu_Userpassword" SIZE="8">
</TD>
</TR>
<TR>
<TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
<INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
</TD>
</TR>
</TABLE>
</CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?
}
session_start();
if(!isset($wu_Username)){
login_form();
exit;
}
else{
$odbc_db=odbc_connect($odbc_dsn, $odbc_userid, $odbc_password);
$query="SELECT wu_FullName, Rate_Class_Id FROM $user_tablename WHERE wu_Username='$wu_Username' AND wu_Userpassword='$wu_Userpassword'";
if(!($odbc_rs=odbc_do($odbc_db, $query)))
die ("Error executing query $query");
$wu_FullName=odbc_result($odbc_rs, 1);
$Rate_Class_Id=odbc_result($odbc_rs, 2);
session_register("wu_Username","wu_Userpassword", "wu_FullName", "Rate_Class_Id");
if(!$wu_FullName){
session_unregister("wu_Username");
session_unregister("wu_Userpassword");
session_unregister("wu_FullName");
session_unregister("Rate_Class_Id");
echo "Authorization failed. " .
"You must enter a valid userid and password combination. " .
"Click on the following link to try again.<BR>\n";
echo "<A HREF="$PHP_SELF">Login</A><BR>";
echo "If you're not a user yet, contact " .
"BS to register.<BR>\n";
exit;
}
else echo "Welcome, $wu_FullName! from $Rate_Class_Id <br>";
echo "<A HREF="logout.php">Log Out</A><BR>";
}
?>After the user logins in successfully and if he attempts to access a page that has the following code at the top they should not be allowed access if their Dept isn't RE but all users are able to access this page regardless of the Dept name. What am I doing wrong?
Code: Select all
<?php
@session_start();
if(session_is_registered("wu_FullName"))
if($Rate_Class_Id=='RE'){
echo "<p>You are logged in as $wu_FullName $Rate_Class_Id.</p>";
echo "<p>Members only content goes here</p>";}
else
{
echo "<p>You are not logged in or you are not a part of the RE department.</p>";
echo "<p>Only logged in RE members may see this page.</p>";
}