Login twice to access secure page

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cbrody
Forum Newbie
Posts: 4
Joined: Mon Jul 02, 2007 5:22 pm

Login twice to access secure page

Post by cbrody »

I have an issue with some login code, mostly cobbled from Dreamweaver's supplied method. In getdocument.php there is a security check which redirects to login.php if the user is not logged in. For some reason (and this doesn't happen consistently) it's sometimes necessary to enter login details twice before the redirection back to getdocument.php is successful. I'm stumped as to what the problem might be.

getdocument.php:

Code: Select all

session_start();

$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && true) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { 
	$emsg = "&Username: " . $_SESSION['MM_Username']  . "&isAuthorised: " . isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup']) ;
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0) 
  $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer) . $emsg;
  header("Location: ". $MM_restrictGoTo); 
  exit;
}


$basepath = "/path/to/secure/documents/";
$file = $_GET['d'];
if (!empty($file)) {
	$fpath = $basepath . $file;
	header("Pragma: public"); // required
	header("Expires: 0");
	header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
	header("Cache-Control: private",false); // required for certain browsers 

	if (!empty($_GET['i']) && $_GET['i'] = "dl") {
		//echo urlencode($file);
		header("Content-Type: application/octet-stream" );
		header("Content-Disposition: attachment; filename=" . urlencode($file));
		header("Content-Transfer-Encoding: binary");
		header("Content-Length:" . filesize($fpath));
	}
	else {
		header("Content-Type: application/pdf");
		header("Content-Disposition: inline; filename=" . urlencode($file));
	}
	readfile("$fpath");
}
If the user is not logged in they are taken to the login/registration page, login.php:

Code: Select all

/* php code for registration etc. snipped */

/*check if logging in */
session_start();

if (isset($_POST['login'])) {
   $errors = array();
   
	$loginFormAction = $_SERVER['PHP_SELF'];
	if (isset($_SESSION['accesscheck'])) {
  	$_SESSION['PrevUrl'] = $accesscheck;
	}
  $loginUsername=$_POST[email];
  $password=$_POST[password];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "login.php?f=1";
  $MM_redirecttoReferrer = false;
  
  $LoginRS__query=sprintf("SELECT email, password, active FROM natco_user WHERE email='%s' AND password='%s'",
    $loginUsername, md5($password) ); 
   
  $LoginRS = mysql_query($LoginRS__query) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
	$row = mysql_fetch_assoc($LoginRS);
  if ($loginFoundUser) {
		if ($row['active']) {
			$lmsg = "<p>Account has not yet been activated. Please check your email for activation link or contact customer support</p>";
		}
		else {
	
			 $loginStrGroup = "";
			
			//declare two session variables and assign them
			$_SESSION['MM_Username'] = $loginUsername;
			$_SESSION['MM_UserGroup'] = $loginStrGroup;	      
			
			if (isset($_SESSION['PrevUrl']) && false) {
				$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
			}
			if (!empty($_GET['accesscheck'])) {
				$MM_redirectLoginSuccess = $_GET['accesscheck'];
			}
			header("Location: " . $MM_redirectLoginSuccess );
 		 }
		}
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
Thanks for your help.

Chris
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Enter it twice? Are you sure you're performing the login before anything is displayed?
cbrody
Forum Newbie
Posts: 4
Joined: Mon Jul 02, 2007 5:22 pm

Post by cbrody »

I'm entering the correct login details, and then being returned to the login page again. On logging in the second time I am redirected to the originally requested document.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

You still haven't answered the question. PHP isn't magic, you know. You have to write it correctly.
cbrody
Forum Newbie
Posts: 4
Joined: Mon Jul 02, 2007 5:22 pm

Post by cbrody »

I'm not sure I understand your question. Nothing is displayed to the browser before the php code is executed.
Rovas
Forum Contributor
Posts: 272
Joined: Mon Aug 21, 2006 7:09 am
Location: Romania

Post by Rovas »

I have a similar problem, I have moved the site to a new server and the user can' t log in. The code is correct (it worked well on the other site) but one the new one I assume it' s setting wrong for Apache or PHP. You should check that too.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

cbrody wrote:I'm not sure I understand your question. Nothing is displayed to the browser before the php code is executed.
Okay, does your script follow this process:
  1. Start the session
  2. Check if user is logged in
  3. If not, check if they've submitted the login form
  4. process the login form
  5. Update the session variables that indicate that they are logged in
  6. Display the rest of the page based on their status of being logged in/out
:?:
cbrody
Forum Newbie
Posts: 4
Joined: Mon Jul 02, 2007 5:22 pm

Post by cbrody »

Pretty much, yes. The process should be as follows:

1. Start session
2. Check if user is logged in
3. If yes, process rest of script on page. If not, redirect to login form
4. Check login credentials on submission of login form
5. If OK, redirect to original page.
6. If not, display error message and redisplay login form.

I think I may have found a bug in the following line:

Code: Select all

if (isset($_SESSION['PrevUrl']) && false) {
                                $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
This should be:

Code: Select all

if (isset($_SESSION['PrevUrl']) && $MM_redirecttoReferrer) {
                                $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
I've changed this and set $MM_redirecttoReferrer to true and will see if it corrects the problem.

Cheers

Chris
Post Reply