Hi all.
Here's my problem. I've got a website that requires certain pages be secure. So, what I've done is use the built in HTTP Authentication hook, and pop up a little box for the username and password. The trouble I'm having is that when I get the username and password from the box and validate said credentials, I can't get a session variable (the timeout) to stick. Here's my code.
Note: DB is a custom MySQL wrapper object. find_auth_group(), check_valid_credentials(), and randomID() are also custom functions.
Code: Select all
//***************************************************************************
// Function: authenticate
// Purpose: To determine if the current page is to be secure, and if so, require the login
// Params: page id, group id, DB connection
// Returns: nothing
//***************************************************************************
function authenticate($page_id,$gid,$DBSession)
{
session_start();
$required_groups = find_auth_group($page_id,$gid,$DBSession);
//if there are some access limitations
if(count($required_groups) != 0)
{
$DBSession = new DB();
$session_timeout = $_SESSION["timeout"];
//check if session has expired
if($session_timeout < time())
{
//check if they're re-authenticating
$logging_sid = $_SESSION["logging_sid"];
$query = "select * from loggingin where sid = '$logging_sid'";
$result = $DBSession->sql_query($query,"finding logging in sid");
//if sid exists, they're re-logging in, and have passed username and password
if($DBSession->count_rows($result) > 0)
{
//use username and password that have been set
$username = $_SERVER["PHP_AUTH_USER"];
$password = $_SERVER["PHP_AUTH_PW"];
$valid_credentials = check_valid_credentials($username,$password,$required_groups);
//update session timeout
if($valid_credentials)
{
$twenty_minutes_worth_of_seconds = 60 * 20;
//*******************************
//this line doesn't seem to want to work
//*******************************
$_SESSION["timeout"] = time() + $twenty_minutes_worth_of_seconds;
}
//remove the temporary sid from loggingin table
$logging_sid = $_SESSION["logging_sid"];
$query = "delete from loggingin where sid = '$logging_sid'";
$result = $DBSession->sql_query($query,"deleting logging in sid");
}//if logging in
//if sid doesn't exist, pop up box
else
{
$logging_sid = randomID(SIDLen);
$query = "insert into loggingin values('$logging_sid')";
$result = $DBSession->sql_query($query,'inserting logging sid');
header('WWW-Authenticate: Basic realm="Restricted Access Page"');
header('HTTP/1.0 401 Unauthorized');
echo <<<CANCELLED
This page requires that you login to view it.
<a href = "javascript:history.go(-1)">Go back</a>
CANCELLED;
exit();
}
}//if session has timed out
}//if there are access restrictions
}//authenticate function