Re: [PHP] Login with Remember me Feature
Thank you for all the helpful input so far!
I have now tried to implement the changes you suggested, but I unfortunately
keep getting an error in line 114, in {-bracket in the switch statement. I
know it is not very desirable to send all the code in a mail, but I think
this is the best solution to find where the error(s) are located.
Also when it comes to implementing the loggedin-function as Geoff Shang so
kindly suggested for the config.php. I keep getting an error message that
says that there is an error in the * return true; - line
*
*function loggedin()
{*
*if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))
return true;
else
return false;*
*}*
So for now this code-block is the same as it used to be, because this done
not generate any errors.
When it comes to the function loggedin() inside the connexions.php, I am not
sure where to call the function. Should this be just before the comparing of
the password?
..or before the switch statement?
*connextion.php*
*?php*
*include('config.php');*
*?*
*
*
*!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml;*
*head
meta http-equiv=Content-Type content=text/html;
charset=ISO-8859-1 /
link href=?php echo $design; ?/style.css rel=stylesheet
title=Style /
titleConnexion/title
/head
body div class=header*
* a href=?php echo $url_home; ?img src=?php echo
$design; ?/images/logo.png alt=Members Area //a*
* /div*
*?php*
*// LOGGOUT:
//If the user is logged, we log him out*
*if(isset($_SESSION['username']))
{
//We log him out by deleting the username and userid sessions
unset($_SESSION['username'], $_SESSION['userid'],
$_SESSION['usr_level']);*
*?*
*div class=messageYou have successfuly been loged out.br /
a href=?php echo $url_home; ?Home/a/div
?php*
*} // close the if-loop user logged in*
*else
{*
*$ousername = '';*
*//We check if the form has been sent
if(isset($_POST['username'], $_POST['password']))*
*{*
*//We remove slashes depending on the configuration
// And encrypt the password using salt and md5*
*if(get_magic_quotes_gpc())
{*
*$ousername = stripslashes($_POST['username']);
$username =
mysql_real_escape_string(stripslashes($_POST['username']));
$password = stripslashes($_POST['password']);*
*$salt = sha1(md5($password));
$password = md5($salt.$password);*
*} // close the remove slashes and encrypting-loop*
*else
{*
*$username =
mysql_real_escape_string($_POST['username']);
$password = $_POST['password'];*
*$salt = sha1(md5($password));
$password = md5($salt.$password);*
*} // close the elese: get_magic_quotes_gpc() - block*
* *
*//We get the password of the user*
*$req = mysql_query('select password,id,usr_level from users
where username='.$username.'');
$dn = mysql_fetch_array($req);*
* //Get user level of the user*
*$usr_level = $dn['usr_level'];*
*
*
* // if (loggedin()){ -- should be placed her??*
**
*//We compare the submited password and the real one, and we
check if the user exists *
* if($dn['password']==$password and mysql_num_rows($req)0)
{*
*//If the password is ok, we set the $loginok var to
true
$loginok = true;*
*//If the password is good, we dont show the form
$form = false;
*
* // If the user is alredy logged in
if ($loginok)
{
if ($remember==on)
setcookie(username, $username,
time()+3600*48);*
* else*
*
//We save the user name in the session
username and the user Id in the session userid*
* $_SESSION['username'] =
$username;
$_SESSION['userid'] =
$dn['id'];
$_SESSION['usr_level'] =
$dn['usr_level'];
*
* // if (loggedin()){ -- should be placed her??
*
* switch ($usr_level) *
*
Re: [PHP] Login with Remember me Feature
Hi guys!
I have now tried to take some of your hints into consideration, by
encrypting the password with md5 adding a salt.
As some of you pointed out, this code is the work of a newbie, that is
totally correct, so please bear with me ;)
I have tried to implement a cookie to remember the login for 48 hours, but
it still logs the user out after the default 24min for a session like this:
* //We compare the submited password and the real one, and we
check if the user exists*
*if($dn['password']==$password and mysql_num_rows($req)0)*
*{*
**
*//If the password is ok, we set the $loginok var to
true*
*$loginok = true;*
*//If the password is good, we dont show the form*
*$form = false;*
**
*}*
* if ($loginok = true)*
* {*
* if ($remember==on)
*
*setcookie(username,
$username, time()+7200*24);*
* elseif ($remember==)
*
* //We save the user name in the session username and the
user Id in the session userid*
* $_SESSION('username')=$username; *
* $_SESSION['userid'] =
$dn['id'];*
* $_SESSION['usr_level'] =
$dn['usr_level'];*
*
*
*.*
*.*
*.*
*.*
*.*
*.*
*}*
Another problem I am now facing, is to check whether to user is logged in,
and if it is the user should be redirected from the index-page(with the
login-form) to its user area based on the user level(newbie, advanced or
admin).
For now I have written a function, in the config.php.
*function loggedin()*
*{*
* if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))*
* {*
* $loggedin = true;*
* return $loggedin;*
* }*
*}*
I have both tried to include the config.php into the index-page(login-form)
and into the connexions.php script (where cookie is implemented). Along with
this code:
*?php*
*
*
*if (loggedin==true)*
*{*
* if($usr_level == admin)*
*{*
* ?*
*div class=messageYou have successfuly been logged in. You can now
access the admin area.br /*
*?php header(Location: index_admin.php); ?/div*
*?php*
*}*
* if($usr_level == newbie)*
*{*
*?*
*div class=messageYou have successfuly been logged in. You can now
access to the newbie area.br /*
*?php header(Location: index_newbe.php); ?/div*
*?php*
*}*
* if($usr_level == advanced)*
*{*
*?*
*div class=messageYou have successfuly been logged in. You can now
access the advanced area.br /*
*?php header(Location: index_advanced.php); ?/div*
*?php*
*}*
* *
*}*
*
*
*? *
*
*
This does not redirect an alredy logged in user to its user area...
I know this is messy, but if some of you can spot some improvements that
hopfully can fix my cookie and redirect problem, please let me know.
Tanks a lot!
Re: [PHP] Login with Remember me Feature
On Aug 14, 2011, at 8:23 AM, Alekto Antarctica wrote:
Hi guys!
I have now tried to take some of your hints into consideration, by
encrypting the password with md5 adding a salt.
As some of you pointed out, this code is the work of a newbie, that is
totally correct, so please bear with me ;)
I have tried to implement a cookie to remember the login for 48
hours, but
it still logs the user out after the default 24min for a session
like this:
* //We compare the submited password and the real one,
and we
check if the user exists*
*if($dn['password']==$password and
mysql_num_rows($req)0)*
*{*
**
*//If the password is ok, we set the
$loginok var to
true*
*$loginok = true;*
*//If the password is good, we dont show the
form*
*$form = false;*
**
*}*
* if ($loginok = true)*
* {*
* if ($remember==on)
*
*setcookie(username,
$username, time()+7200*24);*
* elseif ($remember==)
*
* //We save the user name in the session username
and the
user Id in the session userid*
* $_SESSION('username')=
$username; *
* $_SESSION['userid'] =
$dn['id'];*
*
$_SESSION['usr_level'] =
$dn['usr_level'];*
*
*
*.*
*.*
*.*
*.*
*.*
*.*
*}*
Another problem I am now facing, is to check whether to user is
logged in,
and if it is the user should be redirected from the index-page(with
the
login-form) to its user area based on the user level(newbie,
advanced or
admin).
For now I have written a function, in the config.php.
*function loggedin()*
*{*
* if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))*
* {*
* $loggedin = true;*
* return $loggedin;*
* }*
*}*
I have both tried to include the config.php into the index-
page(login-form)
and into the connexions.php script (where cookie is implemented).
Along with
this code:
*?php*
*
*
*if (loggedin==true)*
*{*
* if($usr_level == admin)*
*{*
* ?*
*div class=messageYou have successfuly been logged in. You can now
access the admin area.br /*
*?php header(Location: index_admin.php); ?/div*
*?php*
*}*
* if($usr_level == newbie)*
*{*
*?*
*div class=messageYou have successfuly been logged in. You can now
access to the newbie area.br /*
*?php header(Location: index_newbe.php); ?/div*
*?php*
*}*
* if($usr_level == advanced)*
*{*
*?*
*div class=messageYou have successfuly been logged in. You can now
access the advanced area.br /*
*?php header(Location: index_advanced.php); ?/div*
*?php*
*}*
* *
*}*
*
*
*? *
*
*
This does not redirect an alredy logged in user to its user area...
I know this is messy, but if some of you can spot some improvements
that
hopfully can fix my cookie and redirect problem, please let me know.
Tanks a lot!
You can't issue headers after you've sent output to the client.
headers must be sent before any other output.
If you have messages to be output based on the current script, you
have to pass them to the redirected script for them to be output to
the client. You can do this by passing them on the query string or in
a session variable; there are likely other ways of doing this as well.
Note that you don't have to pass the actual text of the message if you
use message codes instead, which would also aid in being able to
translate the output if so desired.
In the code above, since the message seems tied to the particular area
the user has access to and that is tied to a particular script, you
could just put the message with each particular script.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] Login with Remember me Feature
On 14 Aug 2011 at 14:23, Alekto Antarctica alekto.antarct...@gmail.com wrote:
*function loggedin()*
*{*
* if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))*
* {*
* $loggedin = true;*
* return $loggedin;*
* }*
*}*
Why not justreturn true;
And what happens if your if doesn't evaluate to true? What do you return then?
*?php*
*
*
*if (loggedin==true)*
*{*
Should this be:
if ($loggedin==true) ...
--
Cheers -- Tim
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login with Remember me Feature
On Sun, 14 Aug 2011, Alekto Antarctica wrote:
I have tried to implement a cookie to remember the login for 48 hours, but
it still logs the user out after the default 24min for a session like this:
* //We compare the submited password and the real one, and we
check if the user exists*
*if($dn['password']==$password and mysql_num_rows($req)0)*
You don't show us anything before this, so we have to assume it's all
good up to here.
*{*
**
*//If the password is ok, we set the $loginok var to
true*
*$loginok = true;*
*//If the password is good, we dont show the form*
*$form = false;*
**
*}*
Maybe I'm just like this, but I always comment my closing braces. I've
been in situations where I'm missing one or I need to review code I wrote
months ago and understand its logic, and I find this practice useful.
Yes, in this case the opening is a few lines up, but you could have a code
block that runs for hundreds of lines, and it's good to remember what
started it.
* if ($loginok = true)*
* {*
First, off, as someone else mentioned, this should presumably be:
if ($loginok == true)
This one mistake will mean that $loginok will always be true.
Second, since if statements are always looking for true conditions, you
can simply type:
if ($loginok)
Finally, since $loginok is assigned the true value in the previous block,
then, unless it is also possibly assigned elsewhere, you can just put the
below code in the same code block as the above code, rather than closing
and starting a new one with this if statement.
* if ($remember==on)
*
*setcookie(username,
$username, time()+7200*24);*
This is not very intuitive. You're saying to add 2 hours times 24, which
is a bit strange if you're trying to understand the code. I'dve found
3600*48 much more intuitive. A comment mightn't go astray here either.
* elseif ($remember==)
Are these the only two values that $remember can have? May as well just
use else here without testing for another condition (either the user is
remembering or they're not).
*
* //We save the user name in the session username and the
user Id in the session userid*
I think we might have an left brace missing here, unless it's gotten lost
in translation.
Also, I notice you're storing username and userid here, but above only
stored username in the cookie.
* $_SESSION('username')=$username; *
This line should read:
$_SESSION['username']=$username;
I see the next line has it right. I'm surprised that your code didn't
generate an error for this one, and since it didn't, this may indicate
that this code is never reached (possibly due to the elseif test above).
* $_SESSION['userid'] =
$dn['id'];*
* $_SESSION['usr_level'] =
$dn['usr_level'];*
I see a mixing of styles here. While it's all perfectly good syntax, you
may want to find a style you like and stick to it. I personally find
$foo = $bar;
much more readable than
$foo=$bar;
or
$foo =
$bar;
but each to their own.
Another problem I am now facing, is to check whether to user is logged in,
and if it is the user should be redirected from the index-page(with the
login-form) to its user area based on the user level(newbie, advanced or
admin).
For now I have written a function, in the config.php.
*function loggedin()*
*{*
* if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))*
* {*
* $loggedin = true;*
* return $loggedin;*
* }*
*}*
As someone else pointed out, you could simply return true instead of
assigning to a variable. They also pointed out that you don't return
false if the person is not logged in. You could rewrite the above
function like so:
function loggedin()
{
if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))
return true;
else
return false;
}
However, this doesn't actually check the values of these items, it simply
checks to see if they have been set.
I have both tried to include the config.php into the index-page(login-form)
and into the connexions.php script (where cookie is implemented). Along with
this code:
*?php*
*
*
*if (loggedin==true)*
You need to call a function with parentheses, even if it takes no
arguments, like so:
if (loggedin() == true)
or simply
if (loggedin())
*{*
* if($usr_level == admin)*
*{*
* ?*
*div class=messageYou have successfuly been logged in. You can now
access the
[PHP] Login with Remember me Feature
Hi,
I have implemented a remember me feature in my login-script, but I can't get
it to function!
I want to make it possible for the users to stay logged in for 30 days.
This is what I got this far:
This checkbox is placed Inside the index.php script, near by the
username/password field.
pinput type=checkbox name=rememberRemember me/p
This is all I have added in the index/login script that has something to do
with the remember me feature.
When it comes to saving the username/password to cookies, I have added three
parts to the connextion.php script, all highlighted.
Obviously, I have not found out why this feature does not work, but I might
have placed the different if-loops in the wrong places, or it could be that the
if-codes are not correct themselves?
Anyways, all help are appreciated.
Cheers!
connextion.php:
?php
include('config.php');
?
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=ISO-8859-1
/
link href=?php echo $design; ?/style.css rel=stylesheet
title=Style /
titleConnexion/title
/head
body
div class=header
a href=?php echo $url_home; ?img src=?php echo $design;
?/images/logo.png alt=Members Area //a
/div
?php
//1. unset the cookies if the user logs out.
if (isset($_COOKIE['cookname']) isset($_COOKIE['cookpass']))
{
setcookie(cookname, , time()-2592000, /);
setcookie(cookpass, , time()-2592000, /);
}
//If the user is logged, we log him out
if(isset($_SESSION['username']))
{
//We log him out by deleting the username and userid sessions
unset($_SESSION['username'], $_SESSION['userid']);
?
div class=messageYou have successfuly been loged out.br /
a href=?php echo $url_home; ?Home/a/div
?php
}
else
{
$ousername = '';
//We check if the form has been sent
if(isset($_POST['username'], $_POST['password']))
{
//We remove slashes depending on the configuration
if(get_magic_quotes_gpc())
{
$ousername = stripslashes($_POST['username']);
$username =
mysql_real_escape_string(stripslashes($_POST['username']));
$password = stripslashes($_POST['password']);
}
else
{
$username =
mysql_real_escape_string($_POST['username']);
$password = $_POST['password'];
}
//We get the password of the user
$req = mysql_query('select password,id,usr_level from users
where username='.$username.'');
$dn = mysql_fetch_array($req);
//Get user level of the user
$usr_level = $dn['usr_level'];
//We compare the submited password and the real one, and we
check if the user exists
if($dn['password']==$password and mysql_num_rows($req)0)
{
//If the password is good, we dont show the form
$form = false;
//We save the user name in the session username and the
user Id in the session userid
$_SESSION['username'] = $_POST['username'];
$_SESSION['userid'] = $dn['id'];
$_SESSION['usr_level'] = $dn['usr_level'];
if($usr_level == admin)
{
?
div class=messageYou have successfuly been logged in. You can now access
the admin area.br /
?php header(Location: index_admin.php); ?/div
?php
}
if($usr_level == newbie)
{
?
div class=messageYou have successfuly been logged in. You can now access to
the newbe area.br /
?php header(Location: index_newbe.php); ?/div
?php
}
if($usr_level == advanced)
{
?
div class=messageYou have successfuly been logged in. You can now access
the advanced area.br /
?php header(Location: index_advanced.php); ?/div
?php
}
//2. checks if the Remember me check box is checked or not
if (isset($_POST['remember'])){
setcookie(cookname, $_SESSION['username'],
time()+2592000, /);
setcookie(cookpass, $_SESSION['password'],
time()+2592000, /);
}
//3. checks the users cookies for the username and password
if (isset($_COOKIE['cookname'])
isset($_COOKIE['cookpass'])){
$_SESSION['username'] = $_COOKIE['cookname'];
$_SESSION['password'] = $_COOKIE['cookpass'];
}
Re: [PHP] Login with Remember me Feature
Hello alekto, I've got several notes to point out: 1. You can't do neither a header(), nor a SetCookie() after any echo on the page. The out-of-php pieces of the page included. 2. Don't, please please don't store raw passwords in the database! Hash them, better even adding a salt. The guy who had been writing code of our project before me stored raw passwords, and I lost an amount of time to encrypt them live so users wouln't notice anything happening. Please don't repeat this mistake) 3. Don't store passwords in the cookies, they can be easily stolen. the username is quite enough: if it is there and it is not empty, then you can verify if such a user exists. -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login with Remember me Feature
alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to stay logged in for 30 days. This is what I got this far: You have a logic problem... If I were you, I would write it out more simplistically first... something like: if session cookie keep logged in else, if remember me if verifiable set session cookie and redirect Of course, that is not an example of exact logic to use, and is just a method example of how you can solve your problem. As others have suggested, I would first start reading about ob_start,ob_end_clean(which works well before a header redirect), and ob_end_flush. I agree about only needing to store the user ID in your cookie's (session and rememberme) (hashed perhaps), and not the password. My last comment would be a kind request to strip out all unnecessary html etc.. when posting questions to the list. I usually would not take the time to look through a mess like that. ;-) Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login with Remember me Feature
On Sun, Aug 7, 2011 at 10:03 PM, Donovan Brooke li...@euca.us wrote: alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to stay logged in for 30 days. This is what I got this far: You have a logic problem... If I were you, I would write it out more simplistically first... something like: if session cookie keep logged in else, if remember me if verifiable set session cookie and redirect Of course, that is not an example of exact logic to use, and is just a method example of how you can solve your problem. As others have suggested, I would first start reading about ob_start,ob_end_clean(which works well before a header redirect), and ob_end_flush. I agree about only needing to store the user ID in your cookie's (session and rememberme) (hashed perhaps), and not the password. My last comment would be a kind request to strip out all unnecessary html etc.. when posting questions to the list. I usually would not take the time to look through a mess like that. ;-) Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I'm going to play the third side of this thread and ask if anyone other than me sees any clear security issues with code like that, even if username and password were taken out of the cookie, and it was hashed in the DB, there is still a security issue with thinking this way which in today's world should not be an overlooked practice. And i mean i see that the person here is a newbie, the code looks pretty bad, but i think it's worth mentioning that looking at best security practices for the situation is as trivial as figuring out your classes and methods. Knowing how to prevent people like, well even me, from running sql scripts from your website via forms, or stealing user sessions is essential in today's web world... You're writing some client-facing code, maybe you should look at how to write it and keep the client secure? You could at least add session and request tokens to make the persistent sessions at least a bit more secure, that's of course on top of hashing passwords (with a salt), and not storing user names and passwords in the cookie. Also escaping doesn't work, if you don't believe me, listen to the keynote that Dan Kaminsky gave at the last HOPE conference, he gives a good overview of why... Please either use parameterized queries, or the awesome hack that is base 64, don't assume that just because the function is called mysql_real_escape_string, that it actually knows what it is doing; unicode is a powerful weapon in the wrong hands! Also use === for string comparison as 42 == test! ~Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] login to protected directory by php
On Mon, 2010-08-16 at 09:27 +0530, kranthi wrote: i would configure apache to let php interpreter handle all kinds of extensions ( http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler ) even then u'll have go through all the steps pointed out by Ash. the only advantage of this method is more user friendly URL That would be very slow and prone to failure. What happens when Apache comes across a binary file that contains ?php inside? It seems unlikely, but I've found the more unlikely something should be, the more often it occurs at just the wrong moment! For example, a document that talks about PHP, or an image that randomly contains those characters as part of the bitmap data? Also, the idea of tying an ID into the DB does still allow you to use friendly URLs, but is the ability to guess filenames really something you want in a security system? It would be more prone to brute force attacking I think. Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] login to protected directory by php
all files (web pages, pictures, and exe files) and folders in a directory should be protected against anonymous users. I create an application with php and mysql for registered users. when a user registers it's information will be saved in database and its username and password will be added to .htpass file. so registered users can reach protected area. But browser prompts login dialog, when users want to access this folder. How can I run login process with php. Thanks On Sat, Aug 14, 2010 at 4:23 PM, chris h chris...@gmail.com wrote: it sounds as if apache - or whatever your http server is - is not aware of your php script. All apache knows is that someone is trying to access a directory or file that is protected, it does not know that it should send that request to the php script for a login. What are the protected resources that you want a login for? On Sat, Aug 14, 2010 at 1:52 AM, Ali Asghar Toraby Parizy aliasghar.tor...@gmail.com wrote: Hi The php script is in another folder. I set PHP_AUTH_USER and 'PHP_AUTH_PW in login script then try to open the file in the protected directory. the php file is not in the protected realm. On Sat, Aug 14, 2010 at 3:26 AM, chris h chris...@gmail.com wrote: Based off what your saying my guess is that the request is not hitting your php script. Is the php script in the protected directory? If so what is it's file name and what url are you hitting for the test? Chris. On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy aliasghar.tor...@gmail.com wrote: Hi. I have a protected directory in my host. I have configured .htaccess successfully and it works prefect. Now I'm looking for a solution to login and logout by a php script. In my site I have a login page. In that page I set 'PHP_AUTH_USER' and ' PHP_AUTH_PW'. but when I try to open protected directory, user authentication dialog appears. How can I do this? What is my error? -- Ali Asghar Torabi -- Ali Asghar Torabi -- Ali Asghar Torabi -- Ali Asghar Torabi
Re: [PHP] login to protected directory by php
On Sun, 2010-08-15 at 22:15 +0430, Ali Asghar Toraby Parizy wrote: all files (web pages, pictures, and exe files) and folders in a directory should be protected against anonymous users. I create an application with php and mysql for registered users. when a user registers it's information will be saved in database and its username and password will be added to .htpass file. so registered users can reach protected area. But browser prompts login dialog, when users want to access this folder. How can I run login process with php. Thanks On Sat, Aug 14, 2010 at 4:23 PM, chris h chris...@gmail.com wrote: it sounds as if apache - or whatever your http server is - is not aware of your php script. All apache knows is that someone is trying to access a directory or file that is protected, it does not know that it should send that request to the php script for a login. What are the protected resources that you want a login for? On Sat, Aug 14, 2010 at 1:52 AM, Ali Asghar Toraby Parizy aliasghar.tor...@gmail.com wrote: Hi The php script is in another folder. I set PHP_AUTH_USER and 'PHP_AUTH_PW in login script then try to open the file in the protected directory. the php file is not in the protected realm. On Sat, Aug 14, 2010 at 3:26 AM, chris h chris...@gmail.com wrote: Based off what your saying my guess is that the request is not hitting your php script. Is the php script in the protected directory? If so what is it's file name and what url are you hitting for the test? Chris. On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy aliasghar.tor...@gmail.com wrote: Hi. I have a protected directory in my host. I have configured .htaccess successfully and it works prefect. Now I'm looking for a solution to login and logout by a php script. In my site I have a login page. In that page I set 'PHP_AUTH_USER' and ' PHP_AUTH_PW'. but when I try to open protected directory, user authentication dialog appears. How can I do this? What is my error? -- Ali Asghar Torabi -- Ali Asghar Torabi -- Ali Asghar Torabi The two login processes are separate from each other. The .htaccess method is handled by Apache, completely apart from PHP. I believe it is possible, but is unreliable because of the way different browser/server combinations behave. Your best bet is to store these files outside of web route, and access them with a URL like this: file.php?id=123456 your web route might be something like /var/www/html/yoursite (where /var/www/html is the web root) your documents and secure files could be at /var/www/files/yoursite In your DB, the file id 123456 maps to a specific file on the hosting. This file isn't accessible from the web normally, so PHP will have to use something like fpassthru() to open dump the contents to the browser (obviously sending the correct header() mime type, etc). The advantage to this is you can use your PHP login system, and check each file download attempt against the session to ensure they are a valid user who should be able to access this file. Also, the obfuscation of the filename means that someone is less likely to guess at a filename. The id itself can be anything from a hash of the filename to an auto increment id in the DB. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] login to protected directory by php
i would configure apache to let php interpreter handle all kinds of extensions ( http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler ) even then u'll have go through all the steps pointed out by Ash. the only advantage of this method is more user friendly URL -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] login to protected directory by php
Hi. I have a protected directory in my host. I have configured .htaccess successfully and it works prefect. Now I'm looking for a solution to login and logout by a php script. In my site I have a login page. In that page I set 'PHP_AUTH_USER' and ' PHP_AUTH_PW'. but when I try to open protected directory, user authentication dialog appears. How can I do this? What is my error? -- Ali Asghar Torabi
Re: [PHP] login to protected directory by php
Based off what your saying my guess is that the request is not hitting your php script. Is the php script in the protected directory? If so what is it's file name and what url are you hitting for the test? Chris. On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy aliasghar.tor...@gmail.com wrote: Hi. I have a protected directory in my host. I have configured .htaccess successfully and it works prefect. Now I'm looking for a solution to login and logout by a php script. In my site I have a login page. In that page I set 'PHP_AUTH_USER' and ' PHP_AUTH_PW'. but when I try to open protected directory, user authentication dialog appears. How can I do this? What is my error? -- Ali Asghar Torabi
Re: [PHP] Login using just cookies, bad idea?
On 08/07/10 17:53, Michael Calkins wrote: I right now have a complete user login and registration system however it uses cookies when you login to store information. Is this a bad thing?$_COOKIE vs $_SESSION for login systems Encrypt the cookie, make sure you don't store the password in there, make sure it's salted, and validate the contents before using them. http://stut.net/2008/07/26/sessionless-sessions-2/ -Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Login In script quesitons
I have a log in script that is not working. It is taken from a lesson book
that I read about a year or so ago so the lessons are not fresh in my mind.
My questions are.
1. Why is this not working?
2. Does is look secure?
3. In researching the issue, I was reading some older threads that it was a
better idea to use some commercial ready made scripts. Are there any
recommendations?
Here is the code to the script I am trying to get to work. I get no error
message, however if it will not log me in with a correct un/pw or if I leave
it blank, I get the same message and it allows the next page to be viewed
(which I do not want). DB is set up with data in it.
Login Page:
?php
// Start the session
session_start();
?
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en lang=en
head
meta http-equiv=Content-Type content=text/html; charset=utf-8 /
titlexxx- Log In/title
link rel=stylesheet type=text/css href=style.css /
/head
body
h3xxx- Log In/h3
?php
// If the session var is empty, show any error message and the log-in
form; otherwise confirm the log-in
if (empty($_SESSION['username'])) {
echo 'p class=error' . $error_msg . '/p';
?
form method=post action=story.php
fieldset
legendLog In/legend
label for=usernameUsername:/label
input type=text name=username value=?php if (!empty($username))
echo $username; ? /br /
label for=passwordPassword:/label
input type=password name=password /
/fieldset
input type=submit value=Log In name=submit /
/form
?php
}
else {
// Confirm the successful log-in
echo('p class=loginYou are logged in as ' . $_SESSION['username'] .
'./p');
}
?
/body
/html
Processing page:
?php
// Start the session
session_start();
// Clear the error message
$error_msg = ;
// If the user isn't logged in, try to log them in
if (!isset($_SESSION['username'])) {
if (isset($_POST['submit'])) {
// Connect to the database
$dbc = mysqli_connect(host, 'un', 'pw', 'db')//sanitized for board
or die('Error connecting with MySQL Database');
// Grab the user-entered log-in data
$username = mysqli_real_escape_string($dbc, trim($_POST['username']));
$password = mysqli_real_escape_string($dbc, trim($_POST['password']));
if (!empty($username) !empty($password)) {
// Look up the username and password in the database
$query = SELECT username, password FROM family WHERE username =
'$username' AND password = SHA('password');
$data = mysqli_query($dbc, $query)or die(mysqli_error($dbc));
if (mysqli_num_rows($data) == 1) {
// The log-in is OK so set the user ID and username session vars
(and cookies), and redirect to the home page
$row = mysqli_fetch_array($data);
$_SESSION['username'] = $row['username'];
setcookie('username', $row['username'], time() + (60 * 60 * 24 *
30)); // expires in 30 days
$home_url = 'http://' . $_SERVER['HTTP_HOST'] .
dirname($_SERVER['PHP_SELF']) . '/index.php';
header('Location: ' . $home_url);
}
else {
// The username/password are incorrect so set an error message
$error_msg = 'Sorry, you must enter a valid username and password
to log in.';
}
}
else {
// The username/password weren't entered so set an error message
$error_msg = 'Sorry, you must enter your username and password to
log in.';
}
}
}
?
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml;!-- InstanceBegin
template=/Templates/blindowl.dwt.php codeOutsideHTMLIsLocked=false --
head
meta http-equiv=Content-Type content=text/html; charset=utf-8 /
!-- InstanceBeginEditable name=doctitle --
titlexxx/title
!-- InstanceEndEditable --
style type=text/css
/style
link href=p7pmm/p7PMMh03.css rel=stylesheet type=text/css media=all
/
script type=text/javascript src=p7pmm/p7PMMscripts.js/script
script src=Scripts/AC_RunActiveContent.js
type=text/javascript/script
link href=xxx.css rel=stylesheet type=text/css /
!-- InstanceBeginEditable name=head --!-- InstanceEndEditable --
/head
body
div id=wrap
div id=header
div id=headercontent/div
/div
div id=menu
?php include('includes/menu.inc.php');?
/div
div id=mainwrap!-- InstanceBeginEditable name=main --
?php
// If the session var is empty, show any error message and the log-in
form; otherwise confirm the log-in
if (empty($_SESSION['username'])) {
echo 'p class=error' . $error_msg . '/p';
?
?php
}
else {
// Confirm the successful log-in
echo('p class=loginYou are logged in as ' . $_SESSION['username'] .
'./p');
}
?
Story//text to let me know if the page opened
!-- InstanceEndEditable --/div
div id=footer?php
Re: [PHP] Login In script quesitons
On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote: [snip] Take a look at https://code.google.com/p/loginsystem-rd/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
Richard Quadling rquadl...@gmail.com wrote in message
news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com...
On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote:
[snip]
Take a look at https://code.google.com/p/loginsystem-rd/
Richard
Thank you for your quick reply and the link. Since I see you are one of the
creators, thank you for that as well.
I am getting the following error and I'm not sure how to correct it.
Warning: Cannot modify header information - headers already sent by (output
started at /home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line 15
Warning: Cannot modify header information - headers already sent by (output
started at /home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line 22
Line 15 is: setcookie(token, , time()-42000);
Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) {
loginGlobals stops at line 278
Again, thank you for all your help.
gary
__ Information from ESET Smart Security, version of virus signature
database 5266 (20100709) __
The message was checked by ESET Smart Security.
http://www.eset.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
On Fri, 2010-07-09 at 15:43 -0400, Gary wrote:
Richard Quadling rquadl...@gmail.com wrote in message
news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com...
On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote:
[snip]
Take a look at https://code.google.com/p/loginsystem-rd/
Richard
Thank you for your quick reply and the link. Since I see you are one of the
creators, thank you for that as well.
I am getting the following error and I'm not sure how to correct it.
Warning: Cannot modify header information - headers already sent by (output
started at /home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line 15
Warning: Cannot modify header information - headers already sent by (output
started at /home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line 22
Line 15 is: setcookie(token, , time()-42000);
Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) {
loginGlobals stops at line 278
Again, thank you for all your help.
gary
__ Information from ESET Smart Security, version of virus signature
database 5266 (20100709) __
The message was checked by ESET Smart Security.
http://www.eset.com
My guess is that you've put the login PHP code after some HTML in that
page? If you output any content at all (even a blank space) it will
output the default headers. What you need to do is have any logic that
includes a header() call before any output.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Login In script quesitons
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message
news:1278705035.2295.2.ca...@localhost...
On Fri, 2010-07-09 at 15:43 -0400, Gary wrote:
Richard Quadling rquadl...@gmail.com wrote in message
news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com...
On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote:
[snip]
Take a look at https://code.google.com/p/loginsystem-rd/
Richard
Thank you for your quick reply and the link. Since I see you are one of
the
creators, thank you for that as well.
I am getting the following error and I'm not sure how to correct it.
Warning: Cannot modify header information - headers already sent by
(output
started at
/home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line 15
Warning: Cannot modify header information - headers already sent by
(output
started at
/home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line 22
Line 15 is: setcookie(token, , time()-42000);
Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) {
loginGlobals stops at line 278
Again, thank you for all your help.
gary
__ Information from ESET Smart Security, version of virus
signature database 5266 (20100709) __
The message was checked by ESET Smart Security.
http://www.eset.com
My guess is that you've put the login PHP code after some HTML in that
page? If you output any content at all (even a blank space) it will
output the default headers. What you need to do is have any logic that
includes a header() call before any output.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Ashley
I am aware of that would cause a problem. I am not finding any html at all
on either page.
Thanks for your reply.
Gary
__ Information from ESET Smart Security, version of virus signature
database 5266 (20100709) __
The message was checked by ESET Smart Security.
http://www.eset.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
On Fri, 2010-07-09 at 15:58 -0400, Gary wrote:
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message
news:1278705035.2295.2.ca...@localhost...
On Fri, 2010-07-09 at 15:43 -0400, Gary wrote:
Richard Quadling rquadl...@gmail.com wrote in message
news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com...
On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote:
[snip]
Take a look at https://code.google.com/p/loginsystem-rd/
Richard
Thank you for your quick reply and the link. Since I see you are one of
the
creators, thank you for that as well.
I am getting the following error and I'm not sure how to correct it.
Warning: Cannot modify header information - headers already sent by
(output
started at
/home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line 15
Warning: Cannot modify header information - headers already sent by
(output
started at
/home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line 22
Line 15 is: setcookie(token, , time()-42000);
Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) {
loginGlobals stops at line 278
Again, thank you for all your help.
gary
__ Information from ESET Smart Security, version of virus
signature database 5266 (20100709) __
The message was checked by ESET Smart Security.
http://www.eset.com
My guess is that you've put the login PHP code after some HTML in that
page? If you output any content at all (even a blank space) it will
output the default headers. What you need to do is have any logic that
includes a header() call before any output.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Ashley
I am aware of that would cause a problem. I am not finding any html at all
on either page.
Thanks for your reply.
Gary
__ Information from ESET Smart Security, version of virus signature
database 5266 (20100709) __
The message was checked by ESET Smart Security.
http://www.eset.com
What does your code look like now?
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Login In script quesitons
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message
news:1278705549.2295.4.ca...@localhost...
On Fri, 2010-07-09 at 15:58 -0400, Gary wrote:
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message
news:1278705035.2295.2.ca...@localhost...
On Fri, 2010-07-09 at 15:43 -0400, Gary wrote:
Richard Quadling rquadl...@gmail.com wrote in message
news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com...
On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote:
[snip]
Take a look at https://code.google.com/p/loginsystem-rd/
Richard
Thank you for your quick reply and the link. Since I see you are one
of
the
creators, thank you for that as well.
I am getting the following error and I'm not sure how to correct it.
Warning: Cannot modify header information - headers already sent by
(output
started at
/home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line
15
Warning: Cannot modify header information - headers already sent by
(output
started at
/home/content/45/6359745/html/login/include/loginGlobals.php:281)
in /home/content/45/6359745/html/login/include/form_token.php on line
22
Line 15 is: setcookie(token, , time()-42000);
Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400))
{
loginGlobals stops at line 278
Again, thank you for all your help.
gary
__ Information from ESET Smart Security, version of virus
signature database 5266 (20100709) __
The message was checked by ESET Smart Security.
http://www.eset.com
My guess is that you've put the login PHP code after some HTML in that
page? If you output any content at all (even a blank space) it will
output the default headers. What you need to do is have any logic that
includes a header() call before any output.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Ashley
I am aware of that would cause a problem. I am not finding any html at
all
on either page.
Thanks for your reply.
Gary
__ Information from ESET Smart Security, version of virus
signature database 5266 (20100709) __
The message was checked by ESET Smart Security.
http://www.eset.com
What does your code look like now?
Thanks,
Ash
http://www.ashleysheridan.co.uk
Ashley
This is form_token.php
?php
if (!isset($_SESSION)) {
session_start();
}
?
?php
function generateToken(){
/*
* Create and set a new token for CSRF protection * on initial entry or after
form errors and we are going to redisplay theform.
**/
$salt=; $tokenStr=; $salt = sha1($_SERVER[HTTP_HOST]);
setcookie(token, , time()-42000); $_SESSION[salt]=$salt;
$_SESSION[guid] = getGUID(); $_SESSION[ip] = $_SERVER[REMOTE_ADDR];
$_SESSION[time] = time(); $tokenStr = IP: . $_SESSION[ip] . ,SESSIONID:
. session_id() .,GUID: . $_SESSION[guid];
$_SESSION[token]=sha1(($tokenStr.$_SESSION[salt]).$_SESSION[salt]); if
(setcookie(token, $_SESSION[token], time()+86400)) {
$_SESSION[usecookie]=True; }}function checkToken() {
/*
* Check the posted token for correctness
**/
$oldToken=; $testToken=; $tokenStr=;
$page=basename($_SERVER['PHP_SELF']); $oldToken=$_POST[token]; $tokenStr =
IP: . $_SESSION[ip] . ,SESSIONID: . session_id() .,GUID: .
$_SESSION[guid];
$testToken=sha1(($tokenStr.$_SESSION[salt]).$_SESSION[salt]);
$checkToken=False; If ($oldToken===$testToken) { $diff = time() -
$_SESSION[time]; If ($diff=300) { // Five minutes max If
($_SESSION[usecookie]) { If ($_COOKIE[token]===$oldToken) {
/*
* Destroy the old form token, then * generate a new token for the
form, which may or may not be needed. Wewant to do this * before headers
are written. When writeToken() or writeTokenH() iscalled we are only *
writing the pre-generated token to the form. The cookie will havealready been
written.
**/
setcookie(token, '', time()-42000); generateToken(); return
true;}else{ $_SESSION = array(); if
(isset($_COOKIE[session_name()])) { setcookie(session_name(), '',
time()-42000); } session_destroy(); header(Location: http://;.
lg_domain . lg_form_error .?p= . $page .t=ec);} }else{ return
True; }}else{ $_SESSION = array(); if
(isset($_COOKIE[session_name()])) {
Re: [PHP] Login In script quesitons
On Fri, 2010-07-09 at 16:04 -0400, Gary wrote: ? ?php That bit of the code has a newline in it, which counts as output :p I've not looked over the rest yet, but see if that helps. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Login In script quesitons
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1278706121.2295.5.ca...@localhost... On Fri, 2010-07-09 at 16:04 -0400, Gary wrote: ? ?php That bit of the code has a newline in it, which counts as output :p I've not looked over the rest yet, but see if that helps. Thanks, Ash http://www.ashleysheridan.co.uk Ashley Actually I had added that closing and opening tag in trying to solve the problem, I put it back and still have the issue. I looked at the code as it looks on the board, would it be easier if I sent you the files? Thanks again. Gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
Ashley Richard I think I found the issue. In loginGlobals.php, the error was pointing to line 281, when the code stopped and 278. (I know most of the time this just means there is a missing bracket or semi-colon in the code), however, what I did is put my curser on link 281, backspaced to eliminate white space, and it seems to be working. I will let you know if this is just premature exhuberation. Thanks again for all your help. Gary Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1278706121.2295.5.ca...@localhost... On Fri, 2010-07-09 at 16:04 -0400, Gary wrote: ? ?php That bit of the code has a newline in it, which counts as output :p I've not looked over the rest yet, but see if that helps. Thanks, Ash http://www.ashleysheridan.co.uk __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Login using just cookies, bad idea?
I right now have a complete user login and registration system however it uses cookies when you login to store information. Is this a bad thing?$_COOKIE vs $_SESSION for login systems From,Michael calkinsmichaelcalk...@live.com425-239-9952 _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
Re: [PHP] Login using just cookies, bad idea?
On Thu, 2010-07-08 at 09:53 -0700, Michael Calkins wrote: I right now have a complete user login and registration system however it uses cookies when you login to store information. Is this a bad thing?$_COOKIE vs $_SESSION for login systems From,Michael calkinsmichaelcalk...@live.com425-239-9952 _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 VERY bad idea! :p Basically, cookies should only be used to store general non-personal information. Sessions are for anything that you want to keep out of prying eyes. The reason being is that cookies are just plain text files on the client machine, and can effectively be read by another program or person very easily. Sessions make use of cookies to store the session_id whilst a user is logged in, but you should destroy the session after you no-longer need it to remove the chance of someone getting hold of it and spoofing a request to your server. This can be done by destroying the session when a user logs out and setting a default timeout on a session. Sessions are easier to use I've found than cookies. You can add information to the session and read it right back without need the clients browser to make a new request to your server with the updated cookie in the header. You can store far more information in a session (exactly how much more depends on your server setup obviously) and in a much more logical manner than a cookie. This is not to say that cookies don't have their uses, but I think for a login system they introduce potential security issues which can be exploited. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Login using just cookies, bad idea?
On Thu, Jul 8, 2010 at 1:00 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Thu, 2010-07-08 at 09:53 -0700, Michael Calkins wrote: I right now have a complete user login and registration system however it uses cookies when you login to store information. Is this a bad thing?$_COOKIE vs $_SESSION for login systems From,Michael calkinsmichaelcalk...@live.com425-239-9952 _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 VERY bad idea! :p Basically, cookies should only be used to store general non-personal information. Sessions are for anything that you want to keep out of prying eyes. The reason being is that cookies are just plain text files on the client machine, and can effectively be read by another program or person very easily. Sessions make use of cookies to store the session_id whilst a user is logged in, but you should destroy the session after you no-longer need it to remove the chance of someone getting hold of it and spoofing a request to your server. This can be done by destroying the session when a user logs out and setting a default timeout on a session. Sessions are easier to use I've found than cookies. You can add information to the session and read it right back without need the clients browser to make a new request to your server with the updated cookie in the header. You can store far more information in a session (exactly how much more depends on your server setup obviously) and in a much more logical manner than a cookie. This is not to say that cookies don't have their uses, but I think for a login system they introduce potential security issues which can be exploited. Thanks, Ash http://www.ashleysheridan.co.uk Hi Michael, The short answer is that it depends. Cookies are not inherently bad. Cookies are simply another piece of text that's sent to and fro from client to server (via Set-Cookie: name= value and Cookie: name=value exchanges), and this particular piece of text has a special storage mechanism integrated into most web browsers. Since it's inception, cookie support has improved significantly on browsers, as the security policies now in place provide much more security than those first implemented in the olden days. Today, cookies are a valuable tool used to facilitate the vast majority of website login mechanisms. PHP uses cookies to track sessions of web visitors (the cookie stores the corresponding PHPSESSID), and these sessions are often used to handle auth checks. That is, unless you've set your PHP environment up to propagate the session id through the url, which is not usually wise as it's quite easy to expose the PHPSESSID in server logs as through the referrer header: http://php.net/manual/en/session.security.php ASP.Net uses cookies to handle the provide the forms-based auth mechanism, storing limited session information directly within the cookie itself: http://msdn.microsoft.com/en-us/library/ff647070.aspx#pagexplained0002_aspnetforms I right now have a complete user login and registration system however it uses cookies when you login to store information. Now, the questions I'd have for you are: - Are the cookies merely storing the auth tokens or is other information being stored? - If other information is being stored, what type of info is it, how secure does it have to be, and how many bytes of data is it. Whatever scheme you're using, if you're exchanging the cookie over a non-secure channel (i.e., not using HTTPS), you're application is vulnerable to session hijacking: http://en.wikipedia.org/wiki/Session_hijacking I have stored limited amounts of information in the cookie (e.g., default stylesheet info, user first name, etc.), and when I wanted to protect the information, I signed and encrypted it. Because of the nature of a cookie, you'd have to guard against replay attacks even if the information is encrypted: http://en.wikipedia.org/wiki/Replay_attack In summary, a cookie is merely a tool for persisting data on the client. It can facilitate great security, but it's contribution (or detriment) to the security of your application depends on how it's used. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
RE: [PHP] Login form + User level access
At 8:07 PM + 6/29/10, Carlos Sura wrote:
Thank you for your answer Ted, You are right, well, I do have my
login form, but what I do not understand is how to implement switch
statement.
switch ($level){
case 0:
include (admin.php);
break;
case 1:
include (sales.php);
break;
case 2:
include (superuser.php);
break;
}
Try:
case 0:
header('location:admin.php');
exit();
break;
Instead of includes.
Now I'm wondering if every page has to have something like:
if ($level==2){
} else {
}
Of course, you must check the level of permission granted to the user
before allowing them to see any protected page.
I would suggest using a $_SESSION['level'] during logon to set the
level of permission and then on each protected page do something like
this:
$level = isset($_SESSION['level']) ? $_SESSION['level'] : null;
if($level 2)
{
// redirect to somewhere else
header('location:admin.php');
exit();
}
// this will allow the super-user (level 2) to see everything
while redirecting everyone else elsewhere
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Login form + User level access
Hello everyone. I have this question: I'm developing a login system but what I need is to do is access levels I mean, in my database I have this users: Admin Superusers sales purchase etc So, What I do basically need is, when a user from sales log in.. I want him to see just the menu from SALES, He cannot see others menu options, and he can't get access, I was reading that I can do that with Switch, but really I have no idea about it... Any help? Thank you. Carlos Sura. _ http://clk.atdmt.com/UKM/go/19780/direct/01/ Do you have a story that started on Hotmail? Tell us now
Re: [PHP] Login form + User level access
At 7:46 PM + 6/29/10, Carlos Sura wrote: Hello everyone. I have this question: I'm developing a login system but what I need is to do is access levels I mean, in my database I have this users: Admin Superusers sales purchase etc So, What I do basically need is, when a user from sales log in.. I want him to see just the menu from SALES, He cannot see others menu options, and he can't get access, I was reading that I can do that with Switch, but really I have no idea about it... Any help? Thank you. Carlos Sura. Carlos: That's a little like saying, I want to build a car so I can drive around the country. I was reading that I could do that with a key, but I don't have any idea about it... Any help? Yes, you can use a switch statement, but that just one control structure in a much, much larger application. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login form + User level access
Hello Carlos,
Something like this (assuming that the field with the type of the user
- admin, sales, etc. - is called `Status`, and the table is called
`Users`):
$f=mysql_fetch_assoc(mysql_query(SELECT `Status`, COUNT(*) AS
`UserExists` FROM `Users` WHERE
`Name`='.$_POST['name'].' AND
`Password`='.md5($_POST['pass']).'));
if ($f['UserExists']0) { // name and password are correct
switch ($f['Status']) {
case 'ADMIN': include adminmenu.php; break;
case 'SALES': include salesmenu.php; break;
// ...
}
} else {
die (You entered either an incorrect login or an
incorrect password.);
}
I assume you store crypted passwords in your
database, and the algorythm is md5 (there are
better solutions, but I used it simply for this
example).
--
With best regards from Ukraine,
Andre
Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule
- Original message -
From: Carlos Sura carlos_s...@hotmail.com
To: php-general@lists.php.net php-general@lists.php.net
Date: Tuesday, June 29, 2010, 10:46:14 PM
Subject: [PHP] Login form + User level access
Hello everyone.
I have this question: I'm developing a login system but what I need is to do is
access levels
I mean, in my database I have this users:
Admin
Superusers
sales
purchase
etc
So, What I do basically need is, when a user from sales log in.. I want him to
see just the menu from SALES, He cannot see others menu options, and he can't
get access, I was reading that I can do that with Switch, but really I have
no idea about it... Any help?
Thank you.
Carlos Sura.
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Login form + User level access
Thank you for your answer Ted, You are right, well, I do have my login form,
but what I do not understand is how to implement switch statement.
switch ($level){
case 0:
include (admin.php);
break;
case 1:
include (sales.php);
break;
case 2:
include (superuser.php);
break;
}
Now I'm wondering if every page has to have something like:
if ($level==2){
} else {
}
but, I think that might check link pages, and whole menu... Not, just the menu
for admin as example.
So, that's why I'm asking for help... I was saying just the idea to get example
codes, to base on it, asking : how do I get to london?, not how do I drive a
car?
Thanks.
Carlos Sura.
Date: Tue, 29 Jun 2010 15:58:10 -0400
To: carlos_s...@hotmail.com; php-general@lists.php.net
From: tedd.sperl...@gmail.com
Subject: Re: [PHP] Login form + User level access
At 7:46 PM + 6/29/10, Carlos Sura wrote:
Hello everyone.
I have this question: I'm developing a login system but what I need
is to do is access levels
I mean, in my database I have this users:
Admin
Superusers
sales
purchase
etc
So, What I do basically need is, when a user from sales log in.. I
want him to see just the menu from SALES, He cannot see others menu
options, and he can't get access, I was reading that I can do that
with Switch, but really I have no idea about it... Any help?
Thank you.
Carlos Sura.
Carlos:
That's a little like saying, I want to build a car so I can drive
around the country. I was reading that I could do that with a key,
but I don't have any idea about it... Any help?
Yes, you can use a switch statement, but that just one control
structure in a much, much larger application.
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now
Re[2]: [PHP] Login form + User level access
Hello Carlos,
What I forgot to add is the following:
I'd suggest you to put in the integers and not the strings
(1 instead of PURCHASER, 2 instead of SALES etc.). It will
quicken the process.
--
With best regards from Ukraine,
Andre
Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule
- Original message -
From: Andre Polykanine an...@oire.org
To: Carlos Sura carlos_s...@hotmail.com
Date: Tuesday, June 29, 2010, 11:04:53 PM
Subject: [PHP] Login form + User level access
Hello Carlos,
Something like this (assuming that the field with the type of the user
- admin, sales, etc. - is called `Status`, and the table is called
`Users`):
$f=mysql_fetch_assoc(mysql_query(SELECT `Status`, COUNT(*) AS
`UserExists` FROM `Users` WHERE
`Name`='.$_POST['name'].' AND
`Password`='.md5($_POST['pass']).'));
if ($f['UserExists']0) { // name and password are correct
switch ($f['Status']) {
case 'ADMIN': include adminmenu.php; break;
case 'SALES': include salesmenu.php; break;
// ...
}
} else {
die (You entered either an incorrect login or an
incorrect password.);
}
I assume you store crypted passwords in your
database, and the algorythm is md5 (there are
better solutions, but I used it simply for this
example).
--
With best regards from Ukraine,
Andre
Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule
- Original message -
From: Carlos Sura carlos_s...@hotmail.com
To: php-general@lists.php.net php-general@lists.php.net
Date: Tuesday, June 29, 2010, 10:46:14 PM
Subject: [PHP] Login form + User level access
Hello everyone.
I have this question: I'm developing a login system but what I need is to do is
access levels
I mean, in my database I have this users:
Admin
Superusers
sales
purchase
etc
So, What I do basically need is, when a user from sales log in.. I want him to
see just the menu from SALES, He cannot see others menu options, and he can't
get access, I was reading that I can do that with Switch, but really I have
no idea about it... Any help?
Thank you.
Carlos Sura.
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: Re[2]: [PHP] Login form + User level access
Hello Andre,
Thank you so much, Now I really get the idea.
Oh, can I replace that adding inthe table of access_level a field called:
'level_numbers' ?? would it be the same thing??
Carlos Sura.
Date: Tue, 29 Jun 2010 23:08:51 +0300
From: an...@oire.org
To: an...@oire.org
CC: carlos_s...@hotmail.com; php-general@lists.php.net
Subject: Re[2]: [PHP] Login form + User level access
Hello Carlos,
What I forgot to add is the following:
I'd suggest you to put in the integers and not the strings
(1 instead of PURCHASER, 2 instead of SALES etc.). It will
quicken the process.
--
With best regards from Ukraine,
Andre
Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule
- Original message -
From: Andre Polykanine an...@oire.org
To: Carlos Sura carlos_s...@hotmail.com
Date: Tuesday, June 29, 2010, 11:04:53 PM
Subject: [PHP] Login form + User level access
Hello Carlos,
Something like this (assuming that the field with the type of the user
- admin, sales, etc. - is called `Status`, and the table is called
`Users`):
$f=mysql_fetch_assoc(mysql_query(SELECT `Status`, COUNT(*) AS
`UserExists` FROM `Users` WHERE
`Name`='.$_POST['name'].' AND
`Password`='.md5($_POST['pass']).'));
if ($f['UserExists']0) { // name and password are correct
switch ($f['Status']) {
case 'ADMIN': include adminmenu.php; break;
case 'SALES': include salesmenu.php; break;
// ...
}
} else {
die (You entered either an incorrect login or an
incorrect password.);
}
I assume you store crypted passwords in your
database, and the algorythm is md5 (there are
better solutions, but I used it simply for this
example).
--
With best regards from Ukraine,
Andre
Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule
- Original message -
From: Carlos Sura carlos_s...@hotmail.com
To: php-general@lists.php.net php-general@lists.php.net
Date: Tuesday, June 29, 2010, 10:46:14 PM
Subject: [PHP] Login form + User level access
Hello everyone.
I have this question: I'm developing a login system but what I need is to do
is access levels
I mean, in my database I have this users:
Admin
Superusers
sales
purchase
etc
So, What I do basically need is, when a user from sales log in.. I want him
to see just the menu from SALES, He cannot see others menu options, and he
can't get access, I was reading that I can do that with Switch, but really
I have no idea about it... Any help?
Thank you.
Carlos Sura.
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now
Re[4]: [PHP] Login form + User level access
Hello Carlos,
Yes, it would be the same. You'll have some double info in your DB,
though.
--
With best regards from Ukraine,
Andre
Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule
- Original message -
From: Carlos Sura carlos_s...@hotmail.com
To: an...@oire.org an...@oire.org
Date: Tuesday, June 29, 2010, 11:13:08 PM
Subject: [PHP] Login form + User level access
Hello Andre,
Thank you so much, Now I really get the idea.
Oh, can I replace that adding inthe table of access_level a field called:
'level_numbers' ?? would it be the same thing??
Carlos Sura.
Date: Tue, 29 Jun 2010 23:08:51 +0300
From: an...@oire.org
To: an...@oire.org
CC: carlos_s...@hotmail.com; php-general@lists.php.net
Subject: Re[2]: [PHP] Login form + User level access
Hello Carlos,
What I forgot to add is the following:
I'd suggest you to put in the integers and not the strings
(1 instead of PURCHASER, 2 instead of SALES etc.). It will
quicken the process.
--
With best regards from Ukraine,
Andre
Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule
- Original message -
From: Andre Polykanine an...@oire.org
To: Carlos Sura carlos_s...@hotmail.com
Date: Tuesday, June 29, 2010, 11:04:53 PM
Subject: [PHP] Login form + User level access
Hello Carlos,
Something like this (assuming that the field with the type of the user
- admin, sales, etc. - is called `Status`, and the table is called
`Users`):
$f=mysql_fetch_assoc(mysql_query(SELECT `Status`, COUNT(*) AS
`UserExists` FROM `Users` WHERE
`Name`='.$_POST['name'].' AND
`Password`='.md5($_POST['pass']).'));
if ($f['UserExists']0) { // name and password are correct
switch ($f['Status']) {
case 'ADMIN': include adminmenu.php; break;
case 'SALES': include salesmenu.php; break;
// ...
}
} else {
die (You entered either an incorrect login or an
incorrect password.);
}
I assume you store crypted passwords in your
database, and the algorythm is md5 (there are
better solutions, but I used it simply for this
example).
--
With best regards from Ukraine,
Andre
Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule
- Original message -
From: Carlos Sura carlos_s...@hotmail.com
To: php-general@lists.php.net php-general@lists.php.net
Date: Tuesday, June 29, 2010, 10:46:14 PM
Subject: [PHP] Login form + User level access
Hello everyone.
I have this question: I'm developing a login system but what I need is to do
is access levels
I mean, in my database I have this users:
Admin
Superusers
sales
purchase
etc
So, What I do basically need is, when a user from sales log in.. I want him
to see just the menu from SALES, He cannot see others menu options, and he
can't get access, I was reading that I can do that with Switch, but really
I have no idea about it... Any help?
Thank you.
Carlos Sura.
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
`pass` = '$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Thanks for any help you may be able to provide, below is the full login.php
page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`); //selects info from our table if the row has the same user
and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote:
The following script is supposed to validate a username and password in a
mysql db. When entering the username and password of a preregistered user, I
get the following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
`pass` = '$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Thanks for any help you may be able to provide, below is the full login.php
page.
David
This is the full login.php script, I'm pretty sure no other portions are
needed to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`); //selects info from our table if the row has the same
user and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
First, please create a new email when sending to the list and don't just
reply to the last one, as those of us with email clients that group by
threads get confused when the subject line appears to change mid-thread!
On to your question, you've got an error with your query, so it will
never work:
SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` =
'$pass`// change that last back tick after $pass!
Lastly; protect your queries! That $user variable is open to injection.
Replacing it with something like $user =
mysql_real_escape_string($_POST['user']); Your $pass is protected (I
believe) because of what you're doing with the hash, but I'm not an
expert in these things, so it could be that this may not be enough.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
--- On Fri, 2/19/10, Ashley Sheridan a...@ashleysheridan.co.uk wrote:
From: Ashley Sheridan a...@ashleysheridan.co.uk
Subject: Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a
valid MySQL result resource
To: David Hutto dwightdhu...@yahoo.com
Cc: php-general@lists.php.net
Date: Friday, February 19, 2010, 5:34 AM
On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote:
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
`pass` = '$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Thanks for any help you may be able to provide, below is the full login.php
page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`); //selects info from our table if the row has the same user
and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
First, please create a new email when sending to the list and don't just reply
to the last one, as those of us with email clients that group by threads get
confused when the subject line appears to change mid-thread!
On to your question, you've got an error with your query, so it will never work:
SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass` //
change that last back tick after $pass!
Lastly; protect your queries! That $user variable is open to injection.
Replacing it with something like $user =
mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe)
because of what you're doing with the hash, but I'm not an expert in these
things, so it could be that this may not be enough.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Apologies for hijacking the thread, I hit reply all in a randomly picked email
and deleted the info/subject line, guess that doesn't work.
Thanks for the advice, it's almost working right, all things considered.
David
[PHP] Login should not allow users to login if the application is logged in with the same login credentials
Hello, I've written a simple application, where users need to login to access the features of the application. I want to develop login system such that, if user is already logged in, the application should not allow the users to login with the same login credentials. How do I accomplish this? Regards, Balu
Re: [PHP] Login should not allow users to login if the application is logged in with the same login credentials
Use Database Online table for user sessions. 2009/8/27 Balasubramanyam A knowledge.wea...@gmail.com: Hello, I've written a simple application, where users need to login to access the features of the application. I want to develop login system such that, if user is already logged in, the application should not allow the users to login with the same login credentials. How do I accomplish this? Regards, Balu -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RES: [PHP] Login should not allow users to login if the application is logged in with the same login credentials
Use a DB session handler or save a time() on the user table every refresh, when loggin verify this time(). Zechim -Mensagem original- De: Balasubramanyam A [mailto:knowledge.wea...@gmail.com] Enviada em: quinta-feira, 27 de agosto de 2009 08:24 Para: php-general@lists.php.net Assunto: [PHP] Login should not allow users to login if the application is logged in with the same login credentials Hello, I've written a simple application, where users need to login to access the features of the application. I want to develop login system such that, if user is already logged in, the application should not allow the users to login with the same login credentials. How do I accomplish this? Regards, Balu -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login should not allow users to login if the application is logged in with the same login credentials
On Aug 27, 2009, at 8:01 AM, hack988 hack988 hack...@dev.htwap.com wrote: Use Database Online table for user sessions. 2009/8/27 Balasubramanyam A knowledge.wea...@gmail.com: Hello, I've written a simple application, where users need to login to access the features of the application. I want to develop login system such that, if user is already logged in, the application should not allow the users to login with the same login credentials. How do I accomplish this? Regards, Balu -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Set a flag in the login table when the user logs in. You will need a process to unset this when a user logs out or if the session times out or the user will not be able to log in again. Bastien Sent from my iPod -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Thu, Oct 9, 2008 at 8:35 AM, Nathan Rixham [EMAIL PROTECTED] wrote:
Jason Pruim wrote:
On Oct 8, 2008, at 5:48 PM, Stut wrote:
On 8 Oct 2008, at 22:32, Ashley Sheridan wrote:
On Wed, 2008-10-08 at 22:15 +0100, Stut wrote:
Obviously, I'm a programmer, so I probably don't fall into the 'normal'
category for advertising ;)
You may think that but I've never come across any statistics that suggest
that programmers or even technical people in general have a lower response
rate to any form of advertising. I'm sure they are differences, but as a
percentage of internet users we're insignificant for most websites these
days, even when it comes to games.
As someone who works in the advertising and marketing field, I can say I
have never seen stats that say programmers click rates are less then Joe
Blow. Advertising and marketing boils down to 2 things.. Offering the right
person the right offer. And doing it at the right time.
Right now you may not be interested in purchasing Bawls [1]. But if you
have a huge project and need to work 20 hours a day for a few weeks... It
might not sound so bad.
[1]http://www.bawls.com/
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
[EMAIL PROTECTED]
as the owner of a few hundred automated sites covering many niches and a few
programmers sites I know that programmer's don't click them ad's much
*tight fisted bunch of*
--
nathan ( [EMAIL PROTECTED] )
{
Senior Web Developer
php + java + flex + xmpp + xml + ecmascript
web development edinburgh | http://kraya.co.uk/
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Especially when we don't see them.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
Jason Pruim wrote:
On Oct 8, 2008, at 5:48 PM, Stut wrote:
On 8 Oct 2008, at 22:32, Ashley Sheridan wrote:
On Wed, 2008-10-08 at 22:15 +0100, Stut wrote:
Obviously, I'm a programmer, so I probably don't fall into the 'normal'
category for advertising ;)
You may think that but I've never come across any statistics that
suggest that programmers or even technical people in general have a
lower response rate to any form of advertising. I'm sure they are
differences, but as a percentage of internet users we're insignificant
for most websites these days, even when it comes to games.
As someone who works in the advertising and marketing field, I can say I
have never seen stats that say programmers click rates are less then Joe
Blow. Advertising and marketing boils down to 2 things.. Offering the
right person the right offer. And doing it at the right time.
Right now you may not be interested in purchasing Bawls [1]. But if you
have a huge project and need to work 20 hours a day for a few weeks...
It might not sound so bad.
[1]http://www.bawls.com/
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
[EMAIL PROTECTED]
as the owner of a few hundred automated sites covering many niches and a
few programmers sites I know that programmer's don't click them ad's
much *tight fisted bunch of*
--
nathan ( [EMAIL PROTECTED] )
{
Senior Web Developer
php + java + flex + xmpp + xml + ecmascript
web development edinburgh | http://kraya.co.uk/
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Login [0T]
-Original Message- From: Ashley Sheridan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2008 4:05 PM To: Stut Cc: Wolf; Richard Heyes; php-general@lists.php.net; Bernhard Kohl Subject: Re: [PHP] Login On Wed, 2008-10-08 at 21:45 +0100, Stut wrote: On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? Sorry to threadjack, but I saw this line and had to interject. Yahoo! not only has guidelines, but the YSlow plug-ins are a wonderful method for benchmarking web application speed and efficiency. In addition, suggestions are given to raise a given page's grade in particular areas. Quite helpful, IMHO. Also, the YUI Javascript package is quite comprehensive, and was (somewhat) independently developed by a Yahoo! programmer. That's my 2 cents... just 'cause a company gets it wrong most of the time doesn't mean that there aren't a few shining gems in their bag. :) Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Login
-Original Message- From: Jason Pruim [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 6:01 AM To: Stut Cc: [EMAIL PROTECTED]; PHP LIST Subject: Re: [PHP] Login As someone who works in the advertising and marketing field, I can say I have never seen stats that say programmers click rates are less then Joe Blow. Advertising and marketing boils down to 2 things.. Offering the right person the right offer. And doing it at the right time. Right now you may not be interested in purchasing Bawls [1]. But if you have a huge project and need to work 20 hours a day for a few weeks... It might not sound so bad. ...or if you want to induce vomit from a horrible flavor overdose. Guh. I went to Pilgrimage in Salt Lake City, UT a few years back, and they were giving away tons of that stuff. At first, I was psyched--then, I tasted it. None for me, thanks. Red Bull sugar-free or SoBe Adrenaline Rush. Full Throttle (the green kind) if I'm feeling saucy. Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login [0T]
YUI components have had a tendency to: - Not work - Only work in certain browsers - Have sketchy troubleshooting and implementation documentation - Take forever to load - Only load sometimes As well as having to edit the source code to get it to do what you want quite a lot. That's me though: it would probably work for anyone else. :) 2008/10/9 Boyd, Todd M. [EMAIL PROTECTED] -Original Message- From: Ashley Sheridan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2008 4:05 PM To: Stut Cc: Wolf; Richard Heyes; php-general@lists.php.net; Bernhard Kohl Subject: Re: [PHP] Login On Wed, 2008-10-08 at 21:45 +0100, Stut wrote: On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? Sorry to threadjack, but I saw this line and had to interject. Yahoo! not only has guidelines, but the YSlow plug-ins are a wonderful method for benchmarking web application speed and efficiency. In addition, suggestions are given to raise a given page's grade in particular areas. Quite helpful, IMHO. Also, the YUI Javascript package is quite comprehensive, and was (somewhat) independently developed by a Yahoo! programmer. That's my 2 cents... just 'cause a company gets it wrong most of the time doesn't mean that there aren't a few shining gems in their bag. :) Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Luke Slater
Re: [PHP] Login
Wolf [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf I'd like to take this back to the heart of this message and state that redirecting malicious usage to ratemypoo seems like a perfectly delightful means of security. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Oct 8, 2008, at 5:48 PM, Stut wrote: On 8 Oct 2008, at 22:32, Ashley Sheridan wrote: On Wed, 2008-10-08 at 22:15 +0100, Stut wrote: Obviously, I'm a programmer, so I probably don't fall into the 'normal' category for advertising ;) You may think that but I've never come across any statistics that suggest that programmers or even technical people in general have a lower response rate to any form of advertising. I'm sure they are differences, but as a percentage of internet users we're insignificant for most websites these days, even when it comes to games. As someone who works in the advertising and marketing field, I can say I have never seen stats that say programmers click rates are less then Joe Blow. Advertising and marketing boils down to 2 things.. Offering the right person the right offer. And doing it at the right time. Right now you may not be interested in purchasing Bawls [1]. But if you have a huge project and need to work 20 hours a day for a few weeks... It might not sound so bad. [1]http://www.bawls.com/ -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
I'd like to take this back to the heart of this message and state that redirecting malicious usage to ratemypoo seems like a perfectly delightful means of security. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Agreed, funniest thing I've heard all week!
Re: [PHP] Login
I'd like to take this back to the heart of this message and state that redirecting malicious usage to ratemypoo seems like a perfectly delightful means of security. Agreed, funniest thing I've heard all week! However if you're wrong, you would have redirected a valid user to ratemypoo.com... Now I'm no business man (as my attempts of starting a company would show...), but I'd imagine it's not the sort of image most companies would want to portray. -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.rgraph.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Thu, 2008-10-09 at 19:02 +0100, Richard Heyes wrote: I'd like to take this back to the heart of this message and state that redirecting malicious usage to ratemypoo seems like a perfectly delightful means of security. Agreed, funniest thing I've heard all week! However if you're wrong, you would have redirected a valid user to ratemypoo.com... Now I'm no business man (as my attempts of starting a company would show...), but I'd imagine it's not the sort of image most companies would want to portray. -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.rgraph.org Unless that was the business you were in ;) Ash www.ashleysheridan.co.uk
Re: [PHP] Login
Unless that was the business you were in ;) True enough, but what kind of business would that be...? :-) -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.rgraph.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
Richard Heyes wrote: Unless that was the business you were in ;) True enough, but what kind of business would that be...? :-) Rating poo, of course... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
Shawn McKenzie [EMAIL PROTECTED] wrote: Richard Heyes wrote: Unless that was the business you were in ;) True enough, but what kind of business would that be...? :-) Rating poo, of course... It's a crappy job, but someone's got to do it... ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
?php
# I would recommend using the include method. Redirects should always
be second choice, because they are just evil.
# Example code below
$password = md5('swordfish');
$user = 'Trucker Joe';
if ($_POST['user'] == $user md5($_POST['password']) == $password) {
include_once('login_successful.php');
} else {
include_once('login_failed.php');
}
# Some may also hash the user to prevent injection
# http://us.php.net/manual/en/function.include.php
# http://en.wikipedia.org/wiki/Code_injection#PHP_Injection
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 11:52 -0700, Bernhard Kohl wrote:
?php
# I would recommend using the include method. Redirects should always
be second choice, because they are just evil.
# Example code below
$password = md5('swordfish');
$user = 'Trucker Joe';
if ($_POST['user'] == $user md5($_POST['password']) == $password) {
include_once('login_successful.php');
} else {
include_once('login_failed.php');
}
# Some may also hash the user to prevent injection
# http://us.php.net/manual/en/function.include.php
# http://en.wikipedia.org/wiki/Code_injection#PHP_Injection
?
Also, generally speaking, it is a good idea to verify a user against
their $_SESSION on every page to verify that they have gone through the
login procedure and not just gone directly to an URL in the site.
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On 8 Oct 2008, at 19:52, Bernhard Kohl wrote:
?php
# I would recommend using the include method. Redirects should always
be second choice, because they are just evil.
In this case I would disagree. On successful login it's normal to
redirect to a useful page rather than just display a page that says
congratulations, you're a real user. In the case of an unsuccessful
login why would you need to include another file? Surely the logic
that follows is part of the login script.
It's all a personal preference tho. I used to think that redirects
should not be used unless absolutely necessary but the reasons people
give are generally religious rather than logical.
# Example code below
$password = md5('swordfish');
$user = 'Trucker Joe';
if ($_POST['user'] == $user md5($_POST['password']) == $password) {
include_once('login_successful.php');
} else {
include_once('login_failed.php');
}
# Some may also hash the user to prevent injection
# http://us.php.net/manual/en/function.include.php
# http://en.wikipedia.org/wiki/Code_injection#PHP_Injection
I see nothing in that code that would be open to code injection.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 20:02 +0100, Stut wrote:
On 8 Oct 2008, at 19:52, Bernhard Kohl wrote:
?php
# I would recommend using the include method. Redirects should always
be second choice, because they are just evil.
In this case I would disagree. On successful login it's normal to
redirect to a useful page rather than just display a page that says
congratulations, you're a real user. In the case of an unsuccessful
login why would you need to include another file? Surely the logic
that follows is part of the login script.
It's all a personal preference tho. I used to think that redirects
should not be used unless absolutely necessary but the reasons people
give are generally religious rather than logical.
# Example code below
$password = md5('swordfish');
$user = 'Trucker Joe';
if ($_POST['user'] == $user md5($_POST['password']) == $password) {
include_once('login_successful.php');
} else {
include_once('login_failed.php');
}
# Some may also hash the user to prevent injection
# http://us.php.net/manual/en/function.include.php
# http://en.wikipedia.org/wiki/Code_injection#PHP_Injection
I see nothing in that code that would be open to code injection.
-Stut
--
http://stut.net/
I usually include verification on each page, so I'll redirect if they
are not logged in, but process them as normal throughout that script if
they are. I guess like all things PHP, there's 101 ways to do something,
and it's just down to preference and those little details...
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
I would recommend using the include method. Redirects should always be second choice, because they are just evil. In this case I would disagree. On successful login it's normal to redirect to a useful page rather than just display a page that says congratulations, you're a real user. In the case of an unsuccessful login why would you need to include another file? Surely the logic that follows is part of the login script. Agreed. Flow could be described as this: Not logged in -- Login page -- Logged in Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
!-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf The only redirects that have p!ssed me off before are those ones that big sites put in to make room for their adverts. On more than one occassion I've decided to look elsewhere for whatever it was I was looking for, although it tends only to be game and (legal) download sites that do this. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf The only redirects that have p!ssed me off before are those ones that big sites put in to make room for their adverts. On more than one occassion I've decided to look elsewhere for whatever it was I was looking for, although it tends only to be game and (legal) download sites that do this. Yeah, I hate it when companies try to make a profit. Don't they know everything on the Internet is supposed to be free?!?!?!? Find your stuff elsewhere by all means, but don't slate sites for using advertising to pay for your FREE usage of their service. -Stut PS. For those sarcasm-detector-challenged out there the first paragraph was full of sarcasm. -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 21:45 +0100, Stut wrote: On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf The only redirects that have p!ssed me off before are those ones that big sites put in to make room for their adverts. On more than one occassion I've decided to look elsewhere for whatever it was I was looking for, although it tends only to be game and (legal) download sites that do this. Yeah, I hate it when companies try to make a profit. Don't they know everything on the Internet is supposed to be free?!?!?!? Find your stuff elsewhere by all means, but don't slate sites for using advertising to pay for your FREE usage of their service. -Stut PS. For those sarcasm-detector-challenged out there the first paragraph was full of sarcasm. I'm not against advertising, just this kind. It makes you sit through a 30 second long advert before you get to the sweet stuff. Now, I don't have a bandwidth limit, but what about those users who do? Inline adverts are better, and Google has them worked to a tee. If the model doesn't work for the big companies then, it's time to find a new model, but I think one in which the visitors to a site are treated like TV viewers is not the way to go. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On 8 Oct 2008, at 22:05, Ashley Sheridan wrote: On Wed, 2008-10-08 at 21:45 +0100, Stut wrote: On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: The only redirects that have p!ssed me off before are those ones that big sites put in to make room for their adverts. On more than one occassion I've decided to look elsewhere for whatever it was I was looking for, although it tends only to be game and (legal) download sites that do this. Yeah, I hate it when companies try to make a profit. Don't they know everything on the Internet is supposed to be free?!?!?!? Find your stuff elsewhere by all means, but don't slate sites for using advertising to pay for your FREE usage of their service. -Stut PS. For those sarcasm-detector-challenged out there the first paragraph was full of sarcasm. I'm not against advertising, just this kind. It makes you sit through a 30 second long advert before you get to the sweet stuff. Now, I don't have a bandwidth limit, but what about those users who do? Inline adverts are better, and Google has them worked to a tee. If the model doesn't work for the big companies then, it's time to find a new model, but I think one in which the visitors to a site are treated like TV viewers is not the way to go. I don't disagree that it's not the best model, but it is the best paying. Why? For precisely the reason you've stated - it interrupts what you're doing and forces you to pay attention to it. The reason game and download sites use them is because they pay enough to cover your usage of their site, whereas I'd bet standard banners would not. To make a reasonable amount of money from Google adwords you need a fairly sizable amount of traffic, and even then you won't pay for the scenario where every user downloads files 100's of meg in size. If you don't like it and you think it can be done less intrusively I urge you to go ahead and build a competitor. But don't expect to break even anytime soon. In the meantime if it really bothers you that much I would recommend finding a site that lets you pay a monthly fee for ad-free access. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 22:15 +0100, Stut wrote: I don't disagree that it's not the best model, but it is the best paying I have to disagree. Each and every time I've come across this, I've gone elsewhere. The model doesn't work as far as I can tell. I think the problem is the people who create the schemes aren't really aware of what the Internet can do; something similar to that guy in marketing asking why it's not possible to duplicate his A4 page, exactly as he set it out, as a web page. I don't have a better model, but something like that that's used on Experts Exchange doesn't go too badly with me. Targeted ads that don't get in my way. I'm more inclined to look at something that isn't shoved in my face. Obviously, I'm a programmer, so I probably don't fall into the 'normal' category for advertising ;) Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On 8 Oct 2008, at 22:32, Ashley Sheridan wrote: On Wed, 2008-10-08 at 22:15 +0100, Stut wrote: I don't disagree that it's not the best model, but it is the best paying I have to disagree. Each and every time I've come across this, I've gone elsewhere. The model doesn't work as far as I can tell. It's not the best model but I can assure you it *does* work otherwise advertisers would not pay the rates such campaigns demand. I think the problem is the people who create the schemes aren't really aware of what the Internet can do; something similar to that guy in marketing asking why it's not possible to duplicate his A4 page, exactly as he set it out, as a web page. I don't have a better model, but something like that that's used on Experts Exchange doesn't go too badly with me. Targeted ads that don't get in my way. I'm more inclined to look at something that isn't shoved in my face. Like I said, I don't disagree, but you have to accept that ads that interrupt the user pay the best so for sites that are expensive to run, like download sites, they're economically sound. I find it interesting that you feel you have the right to criticise the people who create the schemes for not knowing any better, but you with all your knowledge of what the internet can do admit that you can't come up with a better model. Obviously, I'm a programmer, so I probably don't fall into the 'normal' category for advertising ;) You may think that but I've never come across any statistics that suggest that programmers or even technical people in general have a lower response rate to any form of advertising. I'm sure they are differences, but as a percentage of internet users we're insignificant for most websites these days, even when it comes to games. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Login
I want to open a page if a login is correct and another if not. What is the function to open a page in PHP? Can you show me a simple example of the syntax? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
What do you mean by open? You can redirect to a new page: http://us.php.net/header or You can include a file: http://us.php.net/include/ Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Terry J Daichendt wrote: I want to open a page if a login is correct and another if not. What is the function to open a page in PHP? Can you show me a simple example of the syntax? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
You can just use a header redirect. For example: if you are at
login.php and the user is authorized, you could use if($auth === true)
{ header(Location: authed_page.php);
} else { header(Location: denied.php); }
On Oct 7, 2008, at 5:44 PM, Terry J Daichendt
[EMAIL PROTECTED] wrote:
I want to open a page if a login is correct and another if not. What
is the function to open a page in PHP? Can you show me a simple
example of the syntax?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
There is no such function! You have to write the code. On Wed, Oct 8, 2008 at 6:14 AM, Terry J Daichendt [EMAIL PROTECTED]wrote: I want to open a page if a login is correct and another if not. What is the function to open a page in PHP? Can you show me a simple example of the syntax? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Nilesh Govindrajan ([EMAIL PROTECTED]) iTech7 Site and Server Administrator www.itech7.com
Re: [PHP] Login
On Wednesday 08 October 2008 06:14:33 am Terry J Daichendt wrote:
I want to open a page if a login is correct and another if not. What is the
function to open a page in PHP? Can you show me a simple example of the
syntax?
There is no such function. You have many options like redirecting a user-
header('Location: newfile.php');
showing another file-
include('newfile.php');
or using fopen to open a HTML file and print it (this one is very rarely
used!).
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Login without cookies enabled help
Hi all, What is your way to organize user login without Client Cookies being disabled? Sample code will be appreciated. Waiting for your reply... -- Regards, Shelley
Re: [PHP] Login without cookies enabled help
Quoting Shelley [EMAIL PROTECTED]: Hi all, What is your way to organize user login without Client Cookies being disabled? Sample code will be appreciated. Waiting for your reply... -- Regards, Shelley You can use sessions to store data on the server instead of the client. http://nl2.php.net/manual/en/ref.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login without cookies enabled help
[quote] On Tue , Thijs Lensselink [EMAIL PROTECTED] sent: Quoting Shelley [EMAIL PROTECTED]: Hi all, What is your way to organize user login without Client Cookies being disabled? Sample code will be appreciated. Waiting for your reply... -- Regards, Shelley You can use sessions to store data on the server instead of the client. http://nl2.php.net/manual/en/ref.session.php [/quote] Just be careful as sessions default to using cookies. Otherwise, pass the session id with the query string of links!! Alex -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login without cookies enabled help
Well, as I said the cookies are disabled at the clients. Anybody any opinions? On Tue, Jul 15, 2008 at 7:23 PM, Thijs Lensselink [EMAIL PROTECTED] wrote: Quoting Shelley [EMAIL PROTECTED]: Hi all, What is your way to organize user login without Client Cookies being disabled? Sample code will be appreciated. Waiting for your reply... -- Regards, Shelley You can use sessions to store data on the server instead of the client. http://nl2.php.net/manual/en/ref.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Regards, Shelley
Re: [PHP] Login without cookies enabled help
On Tue, Jul 15, 2008 at 10:15 AM, Shelley [EMAIL PROTECTED] wrote: Well, as I said the cookies are disabled at the clients. Anybody any opinions? Yes, again, STFW before posting here. Google PHPSESSID. -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login without cookies enabled help
Yes, again, STFW before posting here. Google PHPSESSID. Call to undefined function Google(); -- /Daniel P. Brown :) -- Thiago Henrique Pojda
Re: [PHP] Semi-OT: PHP Login with client security
Wolf wrote: IMHO, you should be testing this long before taking it to the customer and having another failure to show off. Personally, 2 failures is good reason NOT to purchase someone's services... Wolf Yes, I'm well aware of this - the point which you've continually failed to realize is that this code works on a large variety of servers (shared hosting, VPS, and managed), browsers, and internal network setups for the other 20+ clients I deal with regularly. The problem is specific to a single clients internal setup. In the future, kindly refrain from hitting the reply button if you simply don't have an answer beyond the standard your code is bad response. Tim
RE: [PHP] Semi-OT: PHP Login with client security
IMHO, you should be testing this long before taking it to the customer and
having another failure to show off.
Personally, 2 failures is good reason NOT to purchase someone's services...
Wolf
-Original Message-
From: Tim Thorburn [EMAIL PROTECTED]
Sent: Monday, May 19, 2008 3:20 PM
To: php-general@lists.php.net
Subject: Re: [PHP] Semi-OT: PHP Login with client security
robert wrote:
On May 18, 2008, at 10:14 PM, Tim Thorburn wrote:
Hi all,
Having a slight problem with a demo I gave at a clients last week -
looking for a little advise. Part of my demo involved a password
protected area - the simplified process is: client enters password on
login page if login/password match encrypted database, PHP session
is created, form forwards to a secured area secured area checks to
make sure PHP session is valid if valid display content, if not,
return to login screen.
This procedure is what I've used for many years, tested on a variety
of servers and connections. It works. During the demo with my
client, I was able to enter login/password info, the PHP session was
created - however the screen would not forward to the secured area.
Instead I was pretended with a blank screen (client only has an
outdated/non-updated version of IE6). If I were to type in the URL
to the secured area, it would display content properly. As a test, I
logged out, closed my browser and started again, this time entering
an incorrect login/password - again it would not forward to the next
screen properly, however this time when I typed in the full URL, it
would not display as the session hadn't been created.
I've spoken briefly with my clients IT person, however he's unwilling
to share any firewall information or really anything regarding their
security setup - which I understand as I'm not an employee and just a
contractor.
So, after long winded description - does anyone with network security
experience have any idea either a) what I would need to ask the IT
person to allow for their site only, or b) have any suggestions for
alternate password authentication that may work given the above
conditions?
TIA
-Tim
try to use a full url instead of relative. e.g.
header('location: thankyou.php');
vs.
header('location: http://www.mysite.com/thankyou.php');
or use $_SERVER['DOCUMENT_ROOT'] for portability.
i think this is some weirdness on IE6. this worked for me.
I'll try $_SERVER['DOCUMENT_ROOT'] during my next demonstration which
should be sometime next week. Odd that this issue has never come up
before O.o
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
On Mon, May 19, 2008 at 4:03 PM, Richard Heyes [EMAIL PROTECTED] wrote: Since when has that mattered? :-) :-) to you too. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
At 9:32 PM +0200 5/19/08, Per Jessen wrote: Wolf wrote: and IE has always been more stringent in-so-far as displaying things that match up to THEIR standards instead of industry or fly-by-your-seat coding (accidentally leaving off a closing tag) then Mozilla and Firefox have historically been. Microsoft has never published THEIR standards, so how do you determine how stringent IE is in adherering to them? Apparently their standards change from one IE to another because none of them adhere to their own standards. It seems like a contradiction of terms when talking about M$ with respect to standards. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
On Mon, May 19, 2008 at 1:14 AM, Tim Thorburn [EMAIL PROTECTED] wrote: Hi all, Having a slight problem with a demo I gave at a clients last week - looking for a little advise. Part of my demo involved a password protected area - the simplified process is: client enters password on login page if login/password match encrypted database, PHP session is created, form forwards to a secured area secured area checks to make sure PHP session is valid if valid display content, if not, return to login screen. This procedure is what I've used for many years, tested on a variety of servers and connections. It works. During the demo with my client, I was able to enter login/password info, the PHP session was created - however the screen would not forward to the secured area. Instead I was pretended with a blank screen (client only has an outdated/non-updated version of IE6). If I were to type in the URL to the secured area, it would display content properly. As a test, I logged out, closed my browser and started again, this time entering an incorrect login/password - again it would not forward to the next screen properly, however this time when I typed in the full URL, it would not display as the session hadn't been created. I've spoken briefly with my clients IT person, however he's unwilling to share any firewall information or really anything regarding their security setup - which I understand as I'm not an employee and just a contractor. So, after long winded description - does anyone with network security experience have any idea either a) what I would need to ask the IT person to allow for their site only, or b) have any suggestions for alternate password authentication that may work given the above conditions? TIA -Tim You could check your access logs when that client is logging in to see exactly what the browser is requesting. That might give you a hint as to what is going on. Also you might check the error log for any fatal errors if you're just getting a white screen. Perhaps this IE configuration is somehow triggering a piece of code that no others have been able to before. Are you using header redirects? Perhaps you might change your logic to be something like: header(Location: ...); a href=...Click here to go since your browser ignored the header/a Just some thoughts, good luck! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
Tim Thorburn [EMAIL PROTECTED] wrote: Hi all, Having a slight problem with a demo I gave at a clients last week - looking for a little advise. Part of my demo involved a password protected area - the simplified process is: client enters password on login page if login/password match encrypted database, PHP session is created, form forwards to a secured area secured area checks to make sure PHP session is valid if valid display content, if not, return to login screen. This procedure is what I've used for many years, tested on a variety of servers and connections. It works. During the demo with my client, I was able to enter login/password info, the PHP session was created - however the screen would not forward to the secured area. Instead I was pretended with a blank screen (client only has an outdated/non-updated version of IE6). If I were to type in the URL to the secured area, it would display content properly. As a test, I logged out, closed my browser and started again, this time entering an incorrect login/password - again it would not forward to the next screen properly, however this time when I typed in the full URL, it would not display as the session hadn't been created. I've spoken briefly with my clients IT person, however he's unwilling to share any firewall information or really anything regarding their security setup - which I understand as I'm not an employee and just a contractor. So, after long winded description - does anyone with network security experience have any idea either a) what I would need to ask the IT person to allow for their site only, or b) have any suggestions for alternate password authentication that may work given the above conditions? TIA -Tim It sounds like your code is hokey, since IE is more stringent then other browsers, the code looks to be at fault. What browsers did you test this with before taking it to the client? Firewalls shouldn't be any type of issue at all in this case, unless your browser is trying to redirect to another port, in which case, that should be something that the firewall won't affect internally anyways. So all roads point back to code failure. Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
[snip] It sounds like your code is hokey, since IE is more stringent then other browsers, the code looks to be at fault. What browsers did you test this with before taking it to the client? Firewalls shouldn't be any type of issue at all in this case, unless your browser is trying to redirect to another port, in which case, that should be something that the firewall won't affect internally anyways. So all roads point back to code failure. Wolf [/snip] Windows more stringent?? bahahahahhahaha But it does sound like a code failure, with error reporting turned off. While this is appropriate for a production machine, it can play havoc with the debugging if something is not set quite right. -- Bastien Cat, the other other white meat
Re: [PHP] Semi-OT: PHP Login with client security
At 8:44 AM -0400 5/19/08, Wolf wrote: It sounds like your code is hokey, since IE is more stringent then other browsers, the code looks to be at fault. The term stringent isn't what comes to mind when I think about IE's. Tim: Did other browsers work? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
Wolf wrote: ... since IE is more stringent then other browsers ... You are either using a very unusual IE or you are on another planet. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
Tim Thorburn [EMAIL PROTECTED] wrote: Hi all, Having a slight problem with a demo I gave at a clients last week - looking for a little advise. Part of my demo involved a password protected area - the simplified process is: client enters password on login page if login/password match encrypted database, PHP session is created, form forwards to a secured area secured area checks to make sure PHP session is valid if valid display content, if not, return to login screen. This procedure is what I've used for many years, tested on a variety of servers and connections. It works. During the demo with my client, I was able to enter login/password info, the PHP session was created - however the screen would not forward to the secured area. What kind of forwarding are you using? An http redirect should work fine, regardless of which browser you're using. When you say secured, do you mean an https connection? If not, you're using port 80 only which should not give you any problems. So, after long winded description - does anyone with network security experience have any idea either a) what I would need to ask the IT person to allow for their site only, or b) have any suggestions for alternate password authentication that may work given the above conditions? Maybe check if they'e using any web content filtering? /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
On May 18, 2008, at 10:14 PM, Tim Thorburn wrote:
Hi all,
Having a slight problem with a demo I gave at a clients last week -
looking for a little advise. Part of my demo involved a password
protected area - the simplified process is: client enters password
on login page if login/password match encrypted database, PHP
session is created, form forwards to a secured area secured area
checks to make sure PHP session is valid if valid display content,
if not, return to login screen.
This procedure is what I've used for many years, tested on a variety
of servers and connections. It works. During the demo with my
client, I was able to enter login/password info, the PHP session was
created - however the screen would not forward to the secured area.
Instead I was pretended with a blank screen (client only has an
outdated/non-updated version of IE6). If I were to type in the URL
to the secured area, it would display content properly. As a test,
I logged out, closed my browser and started again, this time
entering an incorrect login/password - again it would not forward to
the next screen properly, however this time when I typed in the full
URL, it would not display as the session hadn't been created.
I've spoken briefly with my clients IT person, however he's
unwilling to share any firewall information or really anything
regarding their security setup - which I understand as I'm not an
employee and just a contractor.
So, after long winded description - does anyone with network
security experience have any idea either a) what I would need to ask
the IT person to allow for their site only, or b) have any
suggestions for alternate password authentication that may work
given the above conditions?
TIA
-Tim
try to use a full url instead of relative. e.g.
header('location: thankyou.php');
vs.
header('location: http://www.mysite.com/thankyou.php');
or use $_SERVER['DOCUMENT_ROOT'] for portability.
i think this is some weirdness on IE6. this worked for me.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
robert wrote:
try to use a full url instead of relative. e.g.
header('location: thankyou.php');
vs.
header('location: http://www.mysite.com/thankyou.php');
You should _always_ use an absolute URL in a redirect. I know it quite
often works with a relative too.
/Per Jessen, Zürich
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
You should _always_ use an absolute URL in a redirect. I know it quite often works with a relative too. Why? -- Richard Heyes Employ me http://www.phpguru.org/cv ++ | Access SSH with a Windows mapped drive | |http://www.phpguru.org/sftpdrive| ++ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
On Mon, May 19, 2008 at 12:52 PM, Richard Heyes [EMAIL PROTECTED] wrote: You should _always_ use an absolute URL in a redirect. I know it quite often works with a relative too. Why? -- Richard Heyes Employ me http://www.phpguru.org/cv ++ | Access SSH with a Windows mapped drive | |http://www.phpguru.org/sftpdrive| ++ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Because it is RFC. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
Per Jessen [EMAIL PROTECTED] wrote: Wolf wrote: ... since IE is more stringent then other browsers ... You are either using a very unusual IE or you are on another planet. Nope IE and Opera both wait for full page before displaying (while firefox displays as output) and IE has always been more stringent in-so-far as displaying things that match up to THEIR standards instead of industry or fly-by-your-seat coding (accidentally leaving off a closing tag) then Mozilla and Firefox have historically been. Hence more stringent... Though really MicroShaft thinks everyone should be coding to THEIR standards and not the world. *shrug* -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
Wolf wrote: Tim Thorburn [EMAIL PROTECTED] wrote: Hi all, Having a slight problem with a demo I gave at a clients last week - looking for a little advise. Part of my demo involved a password protected area - the simplified process is: client enters password on login page if login/password match encrypted database, PHP session is created, form forwards to a secured area secured area checks to make sure PHP session is valid if valid display content, if not, return to login screen. This procedure is what I've used for many years, tested on a variety of servers and connections. It works. During the demo with my client, I was able to enter login/password info, the PHP session was created - however the screen would not forward to the secured area. Instead I was pretended with a blank screen (client only has an outdated/non-updated version of IE6). If I were to type in the URL to the secured area, it would display content properly. As a test, I logged out, closed my browser and started again, this time entering an incorrect login/password - again it would not forward to the next screen properly, however this time when I typed in the full URL, it would not display as the session hadn't been created. I've spoken briefly with my clients IT person, however he's unwilling to share any firewall information or really anything regarding their security setup - which I understand as I'm not an employee and just a contractor. So, after long winded description - does anyone with network security experience have any idea either a) what I would need to ask the IT person to allow for their site only, or b) have any suggestions for alternate password authentication that may work given the above conditions? TIA -Tim It sounds like your code is hokey, since IE is more stringent then other browsers, the code looks to be at fault. What browsers did you test this with before taking it to the client? Firewalls shouldn't be any type of issue at all in this case, unless your browser is trying to redirect to another port, in which case, that should be something that the firewall won't affect internally anyways. So all roads point back to code failure. Wolf The code has been tested on Win2k, XP, Vista, Linux and OSX - IE5.x, IE6.x, IE7, Netscape 9, Firefox 2, Firefox 5 beta 5, and Safari. Works on a variety of connections and locations outside of the clients office - does not work inside the clients office.
Re: [PHP] Semi-OT: PHP Login with client security
robert wrote:
On May 18, 2008, at 10:14 PM, Tim Thorburn wrote:
Hi all,
Having a slight problem with a demo I gave at a clients last week -
looking for a little advise. Part of my demo involved a password
protected area - the simplified process is: client enters password on
login page if login/password match encrypted database, PHP session
is created, form forwards to a secured area secured area checks to
make sure PHP session is valid if valid display content, if not,
return to login screen.
This procedure is what I've used for many years, tested on a variety
of servers and connections. It works. During the demo with my
client, I was able to enter login/password info, the PHP session was
created - however the screen would not forward to the secured area.
Instead I was pretended with a blank screen (client only has an
outdated/non-updated version of IE6). If I were to type in the URL
to the secured area, it would display content properly. As a test, I
logged out, closed my browser and started again, this time entering
an incorrect login/password - again it would not forward to the next
screen properly, however this time when I typed in the full URL, it
would not display as the session hadn't been created.
I've spoken briefly with my clients IT person, however he's unwilling
to share any firewall information or really anything regarding their
security setup - which I understand as I'm not an employee and just a
contractor.
So, after long winded description - does anyone with network security
experience have any idea either a) what I would need to ask the IT
person to allow for their site only, or b) have any suggestions for
alternate password authentication that may work given the above
conditions?
TIA
-Tim
try to use a full url instead of relative. e.g.
header('location: thankyou.php');
vs.
header('location: http://www.mysite.com/thankyou.php');
or use $_SERVER['DOCUMENT_ROOT'] for portability.
i think this is some weirdness on IE6. this worked for me.
I'll try $_SERVER['DOCUMENT_ROOT'] during my next demonstration which
should be sometime next week. Odd that this issue has never come up
before O.o
Re: [PHP] Semi-OT: PHP Login with client security
On 5/19/08, Tim Thorburn [EMAIL PROTECTED] wrote: Wolf wrote: Tim Thorburn [EMAIL PROTECTED] wrote: Hi all, Having a slight problem with a demo I gave at a clients last week - looking for a little advise. Part of my demo involved a password protected area - the simplified process is: client enters password on login page if login/password match encrypted database, PHP session is created, form forwards to a secured area secured area checks to make sure PHP session is valid if valid display content, if not, return to login screen. This procedure is what I've used for many years, tested on a variety of servers and connections. It works. During the demo with my client, I was able to enter login/password info, the PHP session was created - however the screen would not forward to the secured area. Instead I was pretended with a blank screen (client only has an outdated/non-updated version of IE6). If I were to type in the URL to the secured area, it would display content properly. As a test, I logged out, closed my browser and started again, this time entering an incorrect login/password - again it would not forward to the next screen properly, however this time when I typed in the full URL, it would not display as the session hadn't been created. I've spoken briefly with my clients IT person, however he's unwilling to share any firewall information or really anything regarding their security setup - which I understand as I'm not an employee and just a contractor. So, after long winded description - does anyone with network security experience have any idea either a) what I would need to ask the IT person to allow for their site only, or b) have any suggestions for alternate password authentication that may work given the above conditions? TIA -Tim It sounds like your code is hokey, since IE is more stringent then other browsers, the code looks to be at fault. What browsers did you test this with before taking it to the client? Firewalls shouldn't be any type of issue at all in this case, unless your browser is trying to redirect to another port, in which case, that should be something that the firewall won't affect internally anyways. So all roads point back to code failure. Wolf The code has been tested on Win2k, XP, Vista, Linux and OSX - IE5.x, IE6.x, IE7, Netscape 9, Firefox 2, Firefox 5 beta 5, and Safari. Works on a variety of connections and locations outside of the clients office - does not work inside the clients office. Someone suggested looking at the error logs. That still seems like a good idea. David -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
Wolf wrote: Per Jessen [EMAIL PROTECTED] wrote: Wolf wrote: ... since IE is more stringent then other browsers ... You are either using a very unusual IE or you are on another planet. Nope IE and Opera both wait for full page before displaying (while firefox displays as output) I'm not sure what that's got to do with being stringent? I take it you meant stringent as in the interpretation of standards. and IE has always been more stringent in-so-far as displaying things that match up to THEIR standards instead of industry or fly-by-your-seat coding (accidentally leaving off a closing tag) then Mozilla and Firefox have historically been. Microsoft has never published THEIR standards, so how do you determine how stringent IE is in adherering to them? /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: PHP Login with client security
Because it is RFC. Since when has that mattered? :-) -- Richard Heyes Employ me http://www.phpguru.org/cv ++ | Access SSH with a Windows mapped drive | |http://www.phpguru.org/sftpdrive| ++ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
