how would i prompt user to provide log in info when they ...
Moderator: General Moderators
-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
how would i prompt user to provide log in info when they ...
A question regarding a simple security issue..but cant figure out myself.
When my user provide valid username and password, upon validation I am redirecting them (using HTML <meta> tag ) to the following page
http://localhost/ibcs/cmsadmin/index.php
But anybody who knows the full url of the index.php can still bypass my login page and can easily mess around. I dont want to build a complete user management system, since what I all need is to allow only a very few authorised users to have access to the admin panel (there would possibly be only 2 users at a time,). Also, I dont want to you use Server side built-in security mechanism; i.e. Apache's HTTP authentication.
So, how do I prompt a user for login information when he tries to get direct access to the admin panel by copying the above url on the address bar?
Thanks,
When my user provide valid username and password, upon validation I am redirecting them (using HTML <meta> tag ) to the following page
http://localhost/ibcs/cmsadmin/index.php
But anybody who knows the full url of the index.php can still bypass my login page and can easily mess around. I dont want to build a complete user management system, since what I all need is to allow only a very few authorised users to have access to the admin panel (there would possibly be only 2 users at a time,). Also, I dont want to you use Server side built-in security mechanism; i.e. Apache's HTTP authentication.
So, how do I prompt a user for login information when he tries to get direct access to the admin panel by copying the above url on the address bar?
Thanks,
On index.php you could try something like this.
Code: Select all
session_start();
if(!empty($_SESSION["valid_user"]) && $_SESSION["valid_user"]=="yes it is"){
show_page();
}else header("Location: http://to.the.login.page");-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
Would anybody be able to tell why am i getting all these error messages when I run the following script? I have no other php or html coding in the script.
This is my session.php file
<?php
session_start();
$counter++;
print "You have visited this page $counter times during this session";
session_register("counter");
?>
This is my session.php file
<?php
session_start();
$counter++;
print "You have visited this page $counter times during this session";
session_register("counter");
?>
Code: Select all
and here goes all error msgs-Code: Select all
Warning: session_start(): open(/tmp\sess_c5b6e6b921de78963548d301a65bc7a5, O_RDWR) failed: No such file or directory (2) in c:\program files\apache group\apache\htdocs\session.php on line 2
Warning: session_start(): Cannot send session cookie - headers already sent by (output started at c:\program files\apache group\apache\htdocs\session.php:2) in c:\program files\apache group\apache\htdocs\session.php on line 2
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at c:\program files\apache group\apache\htdocs\session.php:2) in c:\program files\apache group\apache\htdocs\session.php on line 2
You have visited this page 1 times during this session
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0
Warning: Unknown(): open(/tmp\sess_c5b6e6b921de78963548d301a65bc7a5, O_RDWR) failed: No such file or directory (2) in Unknown on line 0
Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0I think the answer lays in this warning
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3.
You use session_register(), but you should do like:
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3.
You use session_register(), but you should do like:
Code: Select all
session_start();
$counter=$_SESSION["counter"]; //you should also check if this exists before using
$counter++;
print "You have visited this page $counter times during this session";
$_SESSION["counter"]=$counter;-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
No,it is still giving me the same kind of error messages after I tried your code. I am using PHP4.3.4 win32.
I am suspecting it's a problem with my php package, so, I have downloaded a newer version (5.0.4 win32). It should solve my problem, should'nt it?
Do I have to do anything extra on the php.ini file - like changing any configuration details to allow my session to work properly? I guess not.
Okay guys, if you had come accross the same problem before and somehow solved it, do let me know the solution, so i could sort that out as well
I am suspecting it's a problem with my php package, so, I have downloaded a newer version (5.0.4 win32). It should solve my problem, should'nt it?
Do I have to do anything extra on the php.ini file - like changing any configuration details to allow my session to work properly? I guess not.
Okay guys, if you had come accross the same problem before and somehow solved it, do let me know the solution, so i could sort that out as well
-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
I've fixed up everything except the little prob below:
->lets say given username and password are correct, and upon validation I want to redirect them. I used meta tag of HTML, and it's doing the job fine, but on the redirected page the session variable is not being recognised. So, i guess this is not the best approach.
So, i thought of using header instead of meta tag. My code looks something like:
But that is producing the nasty errors which reads, header information has already being sent out. I understand, that is because headers has to be the very first thing generated/sent by my php script. Just as soon as the first line of html has been generated and sent it's too late to send headers. My concept is clear, right?
Now, how would I redirect to index.php upon validation? I cant just send header information at the very beginning coz i havenot got the user input yet.
Do I make any sense?
Simply put this way, how would you redirect your page when you have some logic to be validated beforehand?
->lets say given username and password are correct, and upon validation I want to redirect them. I used meta tag of HTML, and it's doing the job fine, but on the redirected page the session variable is not being recognised. So, i guess this is not the best approach.
So, i thought of using header instead of meta tag. My code looks something like:
Code: Select all
//after correct username and passwod are supplied
$_POST['user_name'] = stripslashes($_POST['user_name']);
$_SESSION['user'] = $_POST['user_name'];
$_SESSION['pass'] = $_POST['password'];
header("Location: http://localhost/ibcs/cmsadmin/index.php");Now, how would I redirect to index.php upon validation? I cant just send header information at the very beginning coz i havenot got the user input yet.
Do I make any sense?
Simply put this way, how would you redirect your page when you have some logic to be validated beforehand?
- n00b Saibot
- DevNet Resident
- Posts: 1452
- Joined: Fri Dec 24, 2004 2:59 am
- Location: Lucknow, UP, India
- Contact:
Just a little example how I do it
Code: Select all
<?
session_start();
$name = '';
$pass = '';
$info = '';
if(isset($_POSTї'name']) && isset($_POSTї'pass'])):
$name = $_POSTї'name'];
$pass = $_POSTї'pass'];
if(/*name & pass are correct...*/)
{
$_SESSIONї'user'] = $user;
header('Location: index.php');
}
else $info = 'Username/Password Incorrect!';
endif;
?>
<form action="e;<?=$_SERVERї'PHP_SELF']?>"e; method="e;POST"e;>
Name : <input name="e;name"e; type="e;text"e;><br />
Pass : <input name="e;pass"e; type="e;password"e;><br />
<input type="e;submit"e; value="e;Login"e;>
</form>-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
I did the same thing, didn't I? But why am I getting the same error again and again?
Code: Select all
<?php
session_start();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>IBCS WEB ADMIN PANEL</title>
<link rel="stylesheet" type="text/css" href="../admin.css">
<script language="javascript"
type="text/javascript">
function validateForm(form)
{
if (document.form.user_name.value=="")
{
alert("Please type a user id")
return (false);
}
if (document.form.password.value=="")
{
alert("Please type a passwod")
return (false);
}
}
</script>
</head>
<body>
<div id="container">
<h6 class="center">WEB SITE ADMIN PANEL </h6>
<div id="contentBody">
<a class ="adminLink" href="index.php"> Admin Home </a> <br>
<div id="box1">
<?php
/* database connect script. */
require_once ('../includes/DbConnector.php');
$connector= new DbConnector();
if (isset($_POST['submit']))
{
// if form has been submitted
// authenticate.
if (!get_magic_quotes_gpc()) {
$_POST['user_name'] = addslashes($_POST['user_name']);
}
$check = "SELECT user_name, password FROM user WHERE user_name = '".$_POST['user_name']."'";
$result = $connector->query($check);
$num_row = mysql_num_rows($result);
if ($num_row) {
$row = mysql_fetch_Array($result);
// check passwords match
$_POST['password'] = stripslashes($_POST['password']);
$row['password'] = stripslashes($row['password']);
$_POST['password'] = md5($_POST['password']);
if ($_POST['password'] == $info['password']){
$date = date('d,m,y');
$update_login = mysql_query("UPDATE user SET last_login = '$date' WHERE user_name = '".$_POST['user_name']."'");
$_POST['user_name'] = stripslashes($_POST['user_name']);
$_SESSION['user'] = $_POST['user_name'];
$_SESSION['pass'] = $_POST['password'];
header("Location: http://localhost/ibcs/cmsadmin/index.php");
}
else if ($_POST['password'] != $info['password']){
die('Incorrect password, please try again.');
}
}
}else {
?>
<form action="userLogin.php" method="post" name ="form"
onSubmit= "return validateForm(form) ";>
<center>
<table width="250" border="1" cellspacing="0" cellpadding="4" bordercolor="#000000" bordercolordark="#000000" bordercolorlight="#000000" bgcolor="#FFFFFF" style="border-collapse: collapse" height="158">
<tr>
<td class="updatecontent" height="75">
<table border="0" width="100%">
<tr>
<td width="50%"><b>Member ID</b></td>
<td width="50%"><input type="text" name="user_name" maxlength="40"></td>
</tr>
<tr>
<td width="50%"><b>Password</b></td>
<td width="50%">
<input type="password" name="password" maxlength="50">
</td>
</tr>
</table>
</td></tr>
<tr><td class="updatefooter" height="63">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?
}//end if
?>
</div> <!-- box1-->
</div> <!-- contentBody-->
</div> <!-- container -->
</body>
</html># example havent checked it.. just a draw
Code: Select all
function _check_user( $usrN, $usrP ) {
# do your queries ... select where ... $usrN, $usrP;
if (!result) {
return false;
else
return true;
}
}
on main page or where ever you have the validation part.
if ($user_check == false) {?>
<script language=javacript>
location.redirect("whereever.php");
<?
else {
# do something else
}
?>- n00b Saibot
- DevNet Resident
- Posts: 1452
- Joined: Fri Dec 24, 2004 2:59 am
- Location: Lucknow, UP, India
- Contact:
Yeah! that's the point crazytopu. As soon as you output something, there remains no meaning for the headers your headers you send afterwards. Simply place all the validation code at the top of you page. ThatsitphpScott wrote:you haven't done the same thing.
As soon as your script gets to line 4, the headers are set and your redirect is doomed.
Take your php code that deals with the headers and put it at the top of your script. Do the checking to see if a redirect is needed before you get to your <doc type> tag.
-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
Code: Select all
require_once ('../includes/DbConnector.php');Is this meant to be like that?