Page 1 of 1

Login twice to access secure page

Posted: Mon Jul 02, 2007 5:44 pm
by cbrody
I have an issue with some login code, mostly cobbled from Dreamweaver's supplied method. In getdocument.php there is a security check which redirects to login.php if the user is not logged in. For some reason (and this doesn't happen consistently) it's sometimes necessary to enter login details twice before the redirection back to getdocument.php is successful. I'm stumped as to what the problem might be.

getdocument.php:

Code: Select all

session_start();

$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && true) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { 
	$emsg = "&Username: " . $_SESSION['MM_Username']  . "&isAuthorised: " . isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup']) ;
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0) 
  $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer) . $emsg;
  header("Location: ". $MM_restrictGoTo); 
  exit;
}


$basepath = "/path/to/secure/documents/";
$file = $_GET['d'];
if (!empty($file)) {
	$fpath = $basepath . $file;
	header("Pragma: public"); // required
	header("Expires: 0");
	header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
	header("Cache-Control: private",false); // required for certain browsers 

	if (!empty($_GET['i']) && $_GET['i'] = "dl") {
		//echo urlencode($file);
		header("Content-Type: application/octet-stream" );
		header("Content-Disposition: attachment; filename=" . urlencode($file));
		header("Content-Transfer-Encoding: binary");
		header("Content-Length:" . filesize($fpath));
	}
	else {
		header("Content-Type: application/pdf");
		header("Content-Disposition: inline; filename=" . urlencode($file));
	}
	readfile("$fpath");
}
If the user is not logged in they are taken to the login/registration page, login.php:

Code: Select all

/* php code for registration etc. snipped */

/*check if logging in */
session_start();

if (isset($_POST['login'])) {
   $errors = array();
   
	$loginFormAction = $_SERVER['PHP_SELF'];
	if (isset($_SESSION['accesscheck'])) {
  	$_SESSION['PrevUrl'] = $accesscheck;
	}
  $loginUsername=$_POST[email];
  $password=$_POST[password];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "login.php?f=1";
  $MM_redirecttoReferrer = false;
  
  $LoginRS__query=sprintf("SELECT email, password, active FROM natco_user WHERE email='%s' AND password='%s'",
    $loginUsername, md5($password) ); 
   
  $LoginRS = mysql_query($LoginRS__query) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
	$row = mysql_fetch_assoc($LoginRS);
  if ($loginFoundUser) {
		if ($row['active']) {
			$lmsg = "<p>Account has not yet been activated. Please check your email for activation link or contact customer support</p>";
		}
		else {
	
			 $loginStrGroup = "";
			
			//declare two session variables and assign them
			$_SESSION['MM_Username'] = $loginUsername;
			$_SESSION['MM_UserGroup'] = $loginStrGroup;	      
			
			if (isset($_SESSION['PrevUrl']) && false) {
				$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
			}
			if (!empty($_GET['accesscheck'])) {
				$MM_redirectLoginSuccess = $_GET['accesscheck'];
			}
			header("Location: " . $MM_redirectLoginSuccess );
 		 }
		}
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
Thanks for your help.

Chris

Posted: Mon Jul 02, 2007 6:38 pm
by superdezign
Enter it twice? Are you sure you're performing the login before anything is displayed?

Posted: Mon Jul 02, 2007 6:43 pm
by cbrody
I'm entering the correct login details, and then being returned to the login page again. On logging in the second time I am redirected to the originally requested document.

Posted: Mon Jul 02, 2007 6:54 pm
by superdezign
You still haven't answered the question. PHP isn't magic, you know. You have to write it correctly.

Posted: Tue Jul 03, 2007 3:26 am
by cbrody
I'm not sure I understand your question. Nothing is displayed to the browser before the php code is executed.

Posted: Tue Jul 03, 2007 3:47 am
by Rovas
I have a similar problem, I have moved the site to a new server and the user can' t log in. The code is correct (it worked well on the other site) but one the new one I assume it' s setting wrong for Apache or PHP. You should check that too.

Posted: Tue Jul 03, 2007 6:29 am
by superdezign
cbrody wrote:I'm not sure I understand your question. Nothing is displayed to the browser before the php code is executed.
Okay, does your script follow this process:
  1. Start the session
  2. Check if user is logged in
  3. If not, check if they've submitted the login form
  4. process the login form
  5. Update the session variables that indicate that they are logged in
  6. Display the rest of the page based on their status of being logged in/out
:?:

Posted: Tue Jul 03, 2007 9:16 am
by cbrody
Pretty much, yes. The process should be as follows:

1. Start session
2. Check if user is logged in
3. If yes, process rest of script on page. If not, redirect to login form
4. Check login credentials on submission of login form
5. If OK, redirect to original page.
6. If not, display error message and redisplay login form.

I think I may have found a bug in the following line:

Code: Select all

if (isset($_SESSION['PrevUrl']) && false) {
                                $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
This should be:

Code: Select all

if (isset($_SESSION['PrevUrl']) && $MM_redirecttoReferrer) {
                                $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
I've changed this and set $MM_redirecttoReferrer to true and will see if it corrects the problem.

Cheers

Chris