Page 1 of 1

how would i prompt user to provide log in info when they ...

Posted: Sat Apr 23, 2005 5:37 am
by crazytopu
A question regarding a simple security issue..but cant figure out myself.


When my user provide valid username and password, upon validation I am redirecting them (using HTML <meta> tag ) to the following page

http://localhost/ibcs/cmsadmin/index.php

But anybody who knows the full url of the index.php can still bypass my login page and can easily mess around. I dont want to build a complete user management system, since what I all need is to allow only a very few authorised users to have access to the admin panel (there would possibly be only 2 users at a time,). Also, I dont want to you use Server side built-in security mechanism; i.e. Apache's HTTP authentication.


So, how do I prompt a user for login information when he tries to get direct access to the admin panel by copying the above url on the address bar?

Thanks,

Posted: Sat Apr 23, 2005 8:11 am
by wwwapu
On index.php you could try something like this.

Code: Select all

session_start();
if(!empty($_SESSION["valid_user"]) && $_SESSION["valid_user"]=="yes it is"){
	show_page();
}else header("Location: http://to.the.login.page");

Posted: Sat Apr 23, 2005 10:11 am
by crazytopu
Would anybody be able to tell why am i getting all these error messages when I run the following script? I have no other php or html coding in the script.


This is my session.php file



<?php
session_start();
$counter++;
print "You have visited this page $counter times during this session";
session_register("counter");
?>

Code: Select all

and here goes all error msgs-

Code: Select all

Warning: session_start(): open(/tmp\sess_c5b6e6b921de78963548d301a65bc7a5, O_RDWR) failed: No such file or directory (2) in c:\program files\apache group\apache\htdocs\session.php on line 2

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at c:\program files\apache group\apache\htdocs\session.php:2) in c:\program files\apache group\apache\htdocs\session.php on line 2

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at c:\program files\apache group\apache\htdocs\session.php:2) in c:\program files\apache group\apache\htdocs\session.php on line 2
You have visited this page 1 times during this session
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0

Warning: Unknown(): open(/tmp\sess_c5b6e6b921de78963548d301a65bc7a5, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

Posted: Sat Apr 23, 2005 10:43 am
by wwwapu
I think the answer lays in this warning
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3.

You use session_register(), but you should do like:

Code: Select all

session_start(); 
$counter=$_SESSION["counter"]; //you should also check if this exists before using
$counter++; 
print "You have visited this page $counter times during this session"; 
$_SESSION["counter"]=$counter;

Posted: Sat Apr 23, 2005 11:12 pm
by crazytopu
No,it is still giving me the same kind of error messages after I tried your code. I am using PHP4.3.4 win32.

I am suspecting it's a problem with my php package, so, I have downloaded a newer version (5.0.4 win32). It should solve my problem, should'nt it?

Do I have to do anything extra on the php.ini file - like changing any configuration details to allow my session to work properly? I guess not.

Okay guys, if you had come accross the same problem before and somehow solved it, do let me know the solution, so i could sort that out as well :)

Posted: Wed Apr 27, 2005 11:00 am
by crazytopu
I've fixed up everything except the little prob below:

->lets say given username and password are correct, and upon validation I want to redirect them. I used meta tag of HTML, and it's doing the job fine, but on the redirected page the session variable is not being recognised. So, i guess this is not the best approach.

So, i thought of using header instead of meta tag. My code looks something like:

Code: Select all

//after correct username and passwod are supplied
$_POST['user_name'] = stripslashes($_POST['user_name']); 
$_SESSION['user'] = $_POST['user_name']; 
$_SESSION['pass'] = $_POST['password']; 

header("Location: http://localhost/ibcs/cmsadmin/index.php");
But that is producing the nasty errors which reads, header information has already being sent out. I understand, that is because headers has to be the very first thing generated/sent by my php script. Just as soon as the first line of html has been generated and sent it's too late to send headers. My concept is clear, right?

Now, how would I redirect to index.php upon validation? I cant just send header information at the very beginning coz i havenot got the user input yet.

Do I make any sense?

Simply put this way, how would you redirect your page when you have some logic to be validated beforehand?

Posted: Wed Apr 27, 2005 11:19 am
by n00b Saibot
Just a little example how I do it

Code: Select all

&lt;?
session_start();
$name = '';
$pass = '';
$info = '';
if(isset($_POST&#1111;'name']) &amp;&amp; isset($_POST&#1111;'pass'])):
  $name = $_POST&#1111;'name'];
  $pass = $_POST&#1111;'pass'];
  if(/*name &amp; pass are correct...*/)
   {
    $_SESSION&#1111;'user'] = $user;
    header('Location: index.php');
   }
  else $info = 'Username/Password Incorrect!';
endif;
?&gt;
&lt;form action=&quote;&lt;?=$_SERVER&#1111;'PHP_SELF']?&gt;&quote; method=&quote;POST&quote;&gt;
Name : &lt;input name=&quote;name&quote; type=&quote;text&quote;&gt;&lt;br /&gt;
Pass : &lt;input name=&quote;pass&quote; type=&quote;password&quote;&gt;&lt;br /&gt;
&lt;input type=&quote;submit&quote; value=&quote;Login&quote;&gt;
&lt;/form&gt;

Posted: Wed Apr 27, 2005 12:21 pm
by crazytopu
I did the same thing, didn't I? But why am I getting the same error again and again?

Code: Select all

<?php
session_start();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
<title>IBCS WEB ADMIN PANEL</title>
<link rel="stylesheet" type="text/css" href="../admin.css"> 

<script language="javascript" 
  type="text/javascript">

function validateForm(form)
{

if (document.form.user_name.value=="")
{
alert("Please type a user id")
return (false);
}


if (document.form.password.value=="")
{
alert("Please type a passwod")
return (false);
}


}
 
</script>


</head>
<body>
<div id="container">
<h6 class="center">WEB SITE ADMIN PANEL </h6>
<div id="contentBody">
<a class ="adminLink" href="index.php"> Admin Home </a> <br>

<div id="box1">


<?php


/* database connect script. */ 
require_once ('../includes/DbConnector.php');

$connector= new DbConnector();

if (isset($_POST['submit'])) 
{ 
// if form has been submitted 
// authenticate. 
if (!get_magic_quotes_gpc()) { 
$_POST['user_name'] = addslashes($_POST['user_name']); 
} 
$check = "SELECT user_name, password FROM user WHERE user_name = '".$_POST['user_name']."'"; 
$result = $connector->query($check); 
$num_row = mysql_num_rows($result); 
if ($num_row) { 
$row = mysql_fetch_Array($result); 
// check passwords match 
$_POST['password'] = stripslashes($_POST['password']); 
$row['password'] = stripslashes($row['password']); 
$_POST['password'] = md5($_POST['password']); 

if ($_POST['password'] == $info['password']){ 

$date = date('d,m,y'); 
$update_login = mysql_query("UPDATE user SET last_login = '$date' WHERE user_name = '".$_POST['user_name']."'"); 
$_POST['user_name'] = stripslashes($_POST['user_name']); 
$_SESSION['user'] = $_POST['user_name']; 
$_SESSION['pass'] = $_POST['password']; 
header("Location: http://localhost/ibcs/cmsadmin/index.php");
}
else if ($_POST['password'] != $info['password']){ 
die('Incorrect password, please try again.'); 
} 

} 

}else {

?>


<form action="userLogin.php" method="post" name ="form"
onSubmit= "return validateForm(form) ";> 
        <center> 
        <table width="250" border="1" cellspacing="0" cellpadding="4" bordercolor="#000000" bordercolordark="#000000" bordercolorlight="#000000" bgcolor="#FFFFFF" style="border-collapse: collapse" height="158"> 
        <tr> 
        <td class="updatecontent" height="75">
          <table border="0" width="100%">
            <tr>
              <td width="50%"><b>Member ID</b></td>
              <td width="50%"><input type="text" name="user_name" maxlength="40"></td>
            </tr>
            <tr>
              <td width="50%"><b>Password</b></td>
              <td width="50%"> 
        <input type="password" name="password" maxlength="50"> 
              </td>
            </tr>
          </table>
        </td></tr> 
        <tr><td class="updatefooter" height="63"> 
        <input type="submit" name="submit" value="Login"> 
        </td></tr> 
        </table> 
        </form> 

<?

}//end if

?>
        

</div> <!-- box1-->
</div> <!-- contentBody-->
</div> <!-- container -->
</body>
</html>

Posted: Thu Apr 28, 2005 12:27 am
by ol4pr0
# example havent checked it.. just a draw :)

Code: Select all

function _check_user( $usrN, $usrP ) {
 # do your queries ... select where ... $usrN, $usrP;
 if (!result) {
 return false;
 else 
 return true;
 }
}


on main page or where ever you have the validation part.
if ($user_check == false) {?>
 <script language=javacript>
 location.redirect("whereever.php");
 <?
 else {
 # do something else
}
?>

Posted: Thu Apr 28, 2005 3:42 am
by phpScott
you haven't done the same thing.
As soon as your script gets to line 4, the headers are set and your redirect is doomed.

Take your php code that deals with the headers and put it at the top of your script. Do the checking to see if a redirect is needed before you get to your <doc type> tag.

Posted: Thu Apr 28, 2005 3:56 am
by n00b Saibot
phpScott wrote:you haven't done the same thing.
As soon as your script gets to line 4, the headers are set and your redirect is doomed.

Take your php code that deals with the headers and put it at the top of your script. Do the checking to see if a redirect is needed before you get to your <doc type> tag.
Yeah! that's the point crazytopu. As soon as you output something, there remains no meaning for the headers your headers you send afterwards. Simply place all the validation code at the top of you page. Thatsit :!:

Posted: Thu Apr 28, 2005 8:25 am
by crazytopu

Code: Select all

require_once ('../includes/DbConnector.php');
That is the only line that is stopping me from redirecting the page. As you both have pointed out- I've placed all the validation code at the top of the page. But, still I am receiving the same error message. I played around the code a bit by placing the above line of code elsewhere and finally, what i saw is, if I try to redirect the page after that require_once line, I get the error, or else I don't.

Is this meant to be like that?