Page 1 of 1

Help! Login script doesn't work with URL forwarding

Posted: Sun Mar 14, 2004 1:25 pm
by Black Unicorn
I have this problem where I have a login (CHAP authentication) that works wonders when login in from the IP address (80.176.130.49) but when I use the domain that points to this IP (eternalnexus.net), it doesn't work. It accepts the form data and validates properly and all, but for some reason, the session is not being registered, resulting in the login to re-appear indefinitely.

I have wreaked my brain over this, but can't for the life of me figure this one out. Has it got something to do with DNS? Can anybody help me?

Any advice is genuinely appreciated.

Sincerely,
H Rage

Re: Help! Login script doesn't work with URL forwarding

Posted: Sun Mar 14, 2004 1:46 pm
by TheBentinel.com
Black Unicorn wrote:I have this problem where I have a login (CHAP authentication) that works wonders when login in from the IP address (80.176.130.49) but when I use the domain that points to this IP (eternalnexus.net), it doesn't work. It accepts the form data and validates properly and all, but for some reason, the session is not being registered, resulting in the login to re-appear indefinitely.
Is it keeping the login information in a cookie? Maybe the cookie is getting dropped under one domain, but when the browser hits the new domain it isn't getting passed back?

Posted: Sun Mar 14, 2004 2:29 pm
by tsg
Is it possile that after you login and redirect to the success page, that you are using a full URL?

example, instead of ... header("location: logged_in_page.php"); you are doing something like header("location: http://mysite.com/logged_in_page.php");

Posted: Sun Mar 14, 2004 7:18 pm
by Black Unicorn
Thank you for your feedback.
I put a canonical URL into the form action, (the IP address, actually), which didn't yield any change. I will try the URL next, and see if that works ;)

The session is stored on the server, as far as I can tell. The login information reaches its destination so it's not a cookie problem. It's just when it reaches the part that says
session_register("username");
$_SESSION["username"] = $_POST["username"];
header("Location:wherever.blah");

The post data arrives, but simply is not attached to the session, even through the session_start() line is the first line on the page the script is redirecting to.
PhP does not produce any errors.
Any other ideas what it could be?

Posted: Sun Mar 14, 2004 7:24 pm
by tsg
If you can post your login code and you code contolling the protected pages (pages required log in) .. it might help detect your problem.

Posted: Sun Mar 14, 2004 7:38 pm
by Black Unicorn

Code: Select all

<?php
if (!isset($_SESSION&#1111;"clientID"]))&#123;
	if (IsSet($_POST&#1111;"auth"]))&#123;
		$log="<font color=green>Processing Login, please wait ...</font><br />\n";
		$domain = str_replace(" ","_",$_POST&#1111;"domain"]);
		$q = "select id,password,domain from auth_users where login='&#123;$_POST&#1111;"login"]&#125;' and domain='$domain'";
		$r = @mysql_query($q,$conn);
		if (!$r)&#123;die ("An error occurred processing your login. Please go back and try again. If this problem persists, please notify the administrator.");&#125;
		$d = @mysql_fetch_row($r);
		$comp_soup = md5($_POST&#1111;"key"].$d&#1111;1]);
		if ($comp_soup == $_POST&#1111;"auth"])&#123;
			$log.="<strong>CHAP authentication passed.</strong><br />Welcome to the Eternal Nexus Interface.<br />Your session credential is <strong>&#123;$_POST&#1111;"domain"]&#125;</strong>.<br />\n";
			$q = "select * from auth_users where login='&#123;$_POST&#1111;"login"]&#125;'";
			$d = mysql_fetch_array(mysql_query($q,$conn));
			if ($d&#1111;"skey"]==$_POST&#1111;"key"])&#123;
				die ("<br />This intrusion attempt has been added to the server log. Have a nice day.");
			&#125;
			$q = "update auth_users set skey='&#123;$_POST&#1111;"key"]&#125;' where id=&#123;$d&#1111;"id"]&#125;";
			$r = @mysql_query($q,$conn);
			if (!$r)&#123;die ("Ouch. $q");&#125;

			session_register("clientID");
			session_register("Identity");
			session_register("fullName");
			$_SESSION&#1111;"clientID"] = $d&#1111;"id"];
			$_SESSION&#1111;"Identity"] = $d&#1111;"domain"];
			$_SESSION&#1111;"fullName"] = $d&#1111;"fullname"];
			# ---------------------------------- XCC Built-in defaults: ----------
			session_register("serverPath");
			session_register("serverURL");
			session_register("serverRoot");
			session_register("clientPath");
			$_SESSION&#1111;"serverPath"] = "D:/Apache/Apache2/XCC/";
			$_SESSION&#1111;"serverURL"]  = $_POST&#1111;"server"];
			$_SESSION&#1111;"serverRoot"] = "D:/Apache/Apache2/";
			$_SESSION&#1111;"clientPath"] = "D:/Apache/Apache2/XCC/xweb/";
			# ---------------------------------- End XCC Built-in defaults -------
			if ($_SESSION&#1111;"Identity"]=="")&#123;die ("Fatal Error &#123;EA8-020-3AX&#125; - Session was refused. &#123;$_SERVER&#1111;"REMOTE_ADDR"]&#125; Entry logged. The Gatekeeper gave the following reason: <font color=red>"Identity unreachable."</font><br />\n<a href="&#123;$_SERVER&#1111;"PHP_SELF"]&#125;">Ok</a>");&#125;
			if (!IsSet($_POST&#1111;"server"]))&#123;$_SESSION&#1111;"serverURL"] = "http://80.176.130.49/";&#125;
			if ($_POST&#1111;"DEBUG"] == 1)&#123;die ($log);&#125;
			header("Location:&#123;$_SERVER&#1111;"PHP_SELF"]&#125;");
			die ("<!-- -->");
		&#125;
		else die ("<font color=red>Invalid login or password. </font>");
		mysql_close($conn);
	&#125;
&#125;
?>
At the end, where it says header("Location:{$_SERVER["PHP_SELF"]}"); is where it re-checkes for the session. When it doesn't find it (for whatever reason), it just presents you with the form again, and again ...

I didn't include the html form cauz of space restrictions, but all the form data is good.

Regards,
H Rage

Posted: Sun Mar 14, 2004 7:44 pm
by tsg
I am thinking this line is your problem ..
$_SESSION["serverURL"] = "http://80.176.130.49/";}

You said it worked on the IP but not on the domain.

What is being entered as : $_POST["server"] ?

Posted: Sun Mar 14, 2004 8:12 pm
by Black Unicorn
By default, the session carries the variable "http://80.176.130.49 because I figured it useful when using PHP to construct links. In case of an empty variable, it defaults on IP. I changed this to the full URL, to little avail.
I also changed the form action to the full URL which made matters worse by completely ignoring the $_POST data, I guess it's because if you aim it at the IP that forwards the address, the post data is getting lost en route. I changed this back to a relative URL because at least now, it reads the $_POST data.

I try to keep in mind that it still works when the IP address is entered in the address bar. Could it be that when using forwarding, I'm stuck on a different IP (e.g. the one that's being forwarded from)? If so, it might explain why the session isn't registered because the request isn't coming from localhost. Or am I talking out of my rear now ...

At least I have littered the script with debugging stuff, and as far as I can tell, the script does what it's supposed to up to the point where it apparently refuses to write a session variable. I also set up an account in mysql to accept connection requests from wherever (*.*). But I would have throught PhP would complain if it couldn't establish a session. Or maybe the problem isn't with PhP or MySQL, but with the browser?

Lost and despaired,
Rage