Login twice to access secure page
Posted: Mon Jul 02, 2007 5:44 pm
I have an issue with some login code, mostly cobbled from Dreamweaver's supplied method. In getdocument.php there is a security check which redirects to login.php if the user is not logged in. For some reason (and this doesn't happen consistently) it's sometimes necessary to enter login details twice before the redirection back to getdocument.php is successful. I'm stumped as to what the problem might be.
getdocument.php:
If the user is not logged in they are taken to the login/registration page, login.php:
Thanks for your help.
Chris
getdocument.php:
Code: Select all
session_start();
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$emsg = "&Username: " . $_SESSION['MM_Username'] . "&isAuthorised: " . isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup']) ;
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
$MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer) . $emsg;
header("Location: ". $MM_restrictGoTo);
exit;
}
$basepath = "/path/to/secure/documents/";
$file = $_GET['d'];
if (!empty($file)) {
$fpath = $basepath . $file;
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers
if (!empty($_GET['i']) && $_GET['i'] = "dl") {
//echo urlencode($file);
header("Content-Type: application/octet-stream" );
header("Content-Disposition: attachment; filename=" . urlencode($file));
header("Content-Transfer-Encoding: binary");
header("Content-Length:" . filesize($fpath));
}
else {
header("Content-Type: application/pdf");
header("Content-Disposition: inline; filename=" . urlencode($file));
}
readfile("$fpath");
}Code: Select all
/* php code for registration etc. snipped */
/*check if logging in */
session_start();
if (isset($_POST['login'])) {
$errors = array();
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_SESSION['accesscheck'])) {
$_SESSION['PrevUrl'] = $accesscheck;
}
$loginUsername=$_POST[email];
$password=$_POST[password];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "index.php";
$MM_redirectLoginFailed = "login.php?f=1";
$MM_redirecttoReferrer = false;
$LoginRS__query=sprintf("SELECT email, password, active FROM natco_user WHERE email='%s' AND password='%s'",
$loginUsername, md5($password) );
$LoginRS = mysql_query($LoginRS__query) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
$row = mysql_fetch_assoc($LoginRS);
if ($loginFoundUser) {
if ($row['active']) {
$lmsg = "<p>Account has not yet been activated. Please check your email for activation link or contact customer support</p>";
}
else {
$loginStrGroup = "";
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
if (!empty($_GET['accesscheck'])) {
$MM_redirectLoginSuccess = $_GET['accesscheck'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}Chris