how would i prompt user to provide log in info when they ...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

how would i prompt user to provide log in info when they ...

Post by crazytopu »

A question regarding a simple security issue..but cant figure out myself.


When my user provide valid username and password, upon validation I am redirecting them (using HTML <meta> tag ) to the following page

http://localhost/ibcs/cmsadmin/index.php

But anybody who knows the full url of the index.php can still bypass my login page and can easily mess around. I dont want to build a complete user management system, since what I all need is to allow only a very few authorised users to have access to the admin panel (there would possibly be only 2 users at a time,). Also, I dont want to you use Server side built-in security mechanism; i.e. Apache's HTTP authentication.


So, how do I prompt a user for login information when he tries to get direct access to the admin panel by copying the above url on the address bar?

Thanks,
User avatar
wwwapu
Forum Contributor
Posts: 197
Joined: Wed Apr 07, 2004 11:57 am
Location: Turku, Finland

Post by wwwapu »

On index.php you could try something like this.

Code: Select all

session_start();
if(!empty($_SESSION["valid_user"]) && $_SESSION["valid_user"]=="yes it is"){
	show_page();
}else header("Location: http://to.the.login.page");
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

Would anybody be able to tell why am i getting all these error messages when I run the following script? I have no other php or html coding in the script.


This is my session.php file



<?php
session_start();
$counter++;
print "You have visited this page $counter times during this session";
session_register("counter");
?>

Code: Select all

and here goes all error msgs-

Code: Select all

Warning: session_start(): open(/tmp\sess_c5b6e6b921de78963548d301a65bc7a5, O_RDWR) failed: No such file or directory (2) in c:\program files\apache group\apache\htdocs\session.php on line 2

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at c:\program files\apache group\apache\htdocs\session.php:2) in c:\program files\apache group\apache\htdocs\session.php on line 2

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at c:\program files\apache group\apache\htdocs\session.php:2) in c:\program files\apache group\apache\htdocs\session.php on line 2
You have visited this page 1 times during this session
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0

Warning: Unknown(): open(/tmp\sess_c5b6e6b921de78963548d301a65bc7a5, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0
User avatar
wwwapu
Forum Contributor
Posts: 197
Joined: Wed Apr 07, 2004 11:57 am
Location: Turku, Finland

Post by wwwapu »

I think the answer lays in this warning
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3.

You use session_register(), but you should do like:

Code: Select all

session_start(); 
$counter=$_SESSION["counter"]; //you should also check if this exists before using
$counter++; 
print "You have visited this page $counter times during this session"; 
$_SESSION["counter"]=$counter;
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

No,it is still giving me the same kind of error messages after I tried your code. I am using PHP4.3.4 win32.

I am suspecting it's a problem with my php package, so, I have downloaded a newer version (5.0.4 win32). It should solve my problem, should'nt it?

Do I have to do anything extra on the php.ini file - like changing any configuration details to allow my session to work properly? I guess not.

Okay guys, if you had come accross the same problem before and somehow solved it, do let me know the solution, so i could sort that out as well :)
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

I've fixed up everything except the little prob below:

->lets say given username and password are correct, and upon validation I want to redirect them. I used meta tag of HTML, and it's doing the job fine, but on the redirected page the session variable is not being recognised. So, i guess this is not the best approach.

So, i thought of using header instead of meta tag. My code looks something like:

Code: Select all

//after correct username and passwod are supplied
$_POST['user_name'] = stripslashes($_POST['user_name']); 
$_SESSION['user'] = $_POST['user_name']; 
$_SESSION['pass'] = $_POST['password']; 

header("Location: http://localhost/ibcs/cmsadmin/index.php");
But that is producing the nasty errors which reads, header information has already being sent out. I understand, that is because headers has to be the very first thing generated/sent by my php script. Just as soon as the first line of html has been generated and sent it's too late to send headers. My concept is clear, right?

Now, how would I redirect to index.php upon validation? I cant just send header information at the very beginning coz i havenot got the user input yet.

Do I make any sense?

Simply put this way, how would you redirect your page when you have some logic to be validated beforehand?
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

Just a little example how I do it

Code: Select all

&lt;?
session_start();
$name = '';
$pass = '';
$info = '';
if(isset($_POST&#1111;'name']) &amp;&amp; isset($_POST&#1111;'pass'])):
  $name = $_POST&#1111;'name'];
  $pass = $_POST&#1111;'pass'];
  if(/*name &amp; pass are correct...*/)
   {
    $_SESSION&#1111;'user'] = $user;
    header('Location: index.php');
   }
  else $info = 'Username/Password Incorrect!';
endif;
?&gt;
&lt;form action=&quote;&lt;?=$_SERVER&#1111;'PHP_SELF']?&gt;&quote; method=&quote;POST&quote;&gt;
Name : &lt;input name=&quote;name&quote; type=&quote;text&quote;&gt;&lt;br /&gt;
Pass : &lt;input name=&quote;pass&quote; type=&quote;password&quote;&gt;&lt;br /&gt;
&lt;input type=&quote;submit&quote; value=&quote;Login&quote;&gt;
&lt;/form&gt;
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

I did the same thing, didn't I? But why am I getting the same error again and again?

Code: Select all

<?php
session_start();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
<title>IBCS WEB ADMIN PANEL</title>
<link rel="stylesheet" type="text/css" href="../admin.css"> 

<script language="javascript" 
  type="text/javascript">

function validateForm(form)
{

if (document.form.user_name.value=="")
{
alert("Please type a user id")
return (false);
}


if (document.form.password.value=="")
{
alert("Please type a passwod")
return (false);
}


}
 
</script>


</head>
<body>
<div id="container">
<h6 class="center">WEB SITE ADMIN PANEL </h6>
<div id="contentBody">
<a class ="adminLink" href="index.php"> Admin Home </a> <br>

<div id="box1">


<?php


/* database connect script. */ 
require_once ('../includes/DbConnector.php');

$connector= new DbConnector();

if (isset($_POST['submit'])) 
{ 
// if form has been submitted 
// authenticate. 
if (!get_magic_quotes_gpc()) { 
$_POST['user_name'] = addslashes($_POST['user_name']); 
} 
$check = "SELECT user_name, password FROM user WHERE user_name = '".$_POST['user_name']."'"; 
$result = $connector->query($check); 
$num_row = mysql_num_rows($result); 
if ($num_row) { 
$row = mysql_fetch_Array($result); 
// check passwords match 
$_POST['password'] = stripslashes($_POST['password']); 
$row['password'] = stripslashes($row['password']); 
$_POST['password'] = md5($_POST['password']); 

if ($_POST['password'] == $info['password']){ 

$date = date('d,m,y'); 
$update_login = mysql_query("UPDATE user SET last_login = '$date' WHERE user_name = '".$_POST['user_name']."'"); 
$_POST['user_name'] = stripslashes($_POST['user_name']); 
$_SESSION['user'] = $_POST['user_name']; 
$_SESSION['pass'] = $_POST['password']; 
header("Location: http://localhost/ibcs/cmsadmin/index.php");
}
else if ($_POST['password'] != $info['password']){ 
die('Incorrect password, please try again.'); 
} 

} 

}else {

?>


<form action="userLogin.php" method="post" name ="form"
onSubmit= "return validateForm(form) ";> 
        <center> 
        <table width="250" border="1" cellspacing="0" cellpadding="4" bordercolor="#000000" bordercolordark="#000000" bordercolorlight="#000000" bgcolor="#FFFFFF" style="border-collapse: collapse" height="158"> 
        <tr> 
        <td class="updatecontent" height="75">
          <table border="0" width="100%">
            <tr>
              <td width="50%"><b>Member ID</b></td>
              <td width="50%"><input type="text" name="user_name" maxlength="40"></td>
            </tr>
            <tr>
              <td width="50%"><b>Password</b></td>
              <td width="50%"> 
        <input type="password" name="password" maxlength="50"> 
              </td>
            </tr>
          </table>
        </td></tr> 
        <tr><td class="updatefooter" height="63"> 
        <input type="submit" name="submit" value="Login"> 
        </td></tr> 
        </table> 
        </form> 

<?

}//end if

?>
        

</div> <!-- box1-->
</div> <!-- contentBody-->
</div> <!-- container -->
</body>
</html>
User avatar
ol4pr0
Forum Regular
Posts: 926
Joined: Thu Jan 08, 2004 11:22 am
Location: ecuador

Post by ol4pr0 »

# example havent checked it.. just a draw :)

Code: Select all

function _check_user( $usrN, $usrP ) {
 # do your queries ... select where ... $usrN, $usrP;
 if (!result) {
 return false;
 else 
 return true;
 }
}


on main page or where ever you have the validation part.
if ($user_check == false) {?>
 <script language=javacript>
 location.redirect("whereever.php");
 <?
 else {
 # do something else
}
?>
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

Post by phpScott »

you haven't done the same thing.
As soon as your script gets to line 4, the headers are set and your redirect is doomed.

Take your php code that deals with the headers and put it at the top of your script. Do the checking to see if a redirect is needed before you get to your <doc type> tag.
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

phpScott wrote:you haven't done the same thing.
As soon as your script gets to line 4, the headers are set and your redirect is doomed.

Take your php code that deals with the headers and put it at the top of your script. Do the checking to see if a redirect is needed before you get to your <doc type> tag.
Yeah! that's the point crazytopu. As soon as you output something, there remains no meaning for the headers your headers you send afterwards. Simply place all the validation code at the top of you page. Thatsit :!:
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

Code: Select all

require_once ('../includes/DbConnector.php');
That is the only line that is stopping me from redirecting the page. As you both have pointed out- I've placed all the validation code at the top of the page. But, still I am receiving the same error message. I played around the code a bit by placing the above line of code elsewhere and finally, what i saw is, if I try to redirect the page after that require_once line, I get the error, or else I don't.

Is this meant to be like that?
Post Reply