[PHP] User Authentication across multiple server
Hey, I've got 2 server, both having the same authentication scripts and using the same database. My problems are: 1.: User logs in on server1 - trys to use a part of the site which is physically located on server2 - has to login again on server2 2.: There is a wiki on server2, which also depends on the same user-database-table. Is there a way to login the user automatically to that wiki? The only method which possibly could work and came to my mind was using somehow $_GET parameter for username and password (encrypted). Thoughts? -eddy
Re: [PHP] User Authentication across multiple server
On Fri, 2009-03-06 at 10:09 +0100, Edmund Hertle wrote: The only method which possibly could work and came to my mind was using somehow $_GET parameter for username and password (encrypted). Set a cookie and crypt that (RC4 works well) and then check for the cookie on both sites. Kind of like a Remember me type deal -- Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication across multiple server
On Fri, Mar 6, 2009 at 5:14 PM, Paul Scott psc...@uwc.ac.za wrote: On Fri, 2009-03-06 at 10:09 +0100, Edmund Hertle wrote: The only method which possibly could work and came to my mind was using somehow $_GET parameter for username and password (encrypted). Set a cookie and crypt that (RC4 works well) and then check for the cookie on both sites. Kind of like a Remember me type deal -- Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I believe you can do this with a database to handle session, I haven't used that myself though. -- - http://www.lampadmins.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication across multiple server
Edmund Hertle wrote: Hey, I've got 2 server, both having the same authentication scripts and using the same database. My problems are: 1.: User logs in on server1 - trys to use a part of the site which is physically located on server2 - has to login again on server2 2.: There is a wiki on server2, which also depends on the same user-database-table. Is there a way to login the user automatically to that wiki? The only method which possibly could work and came to my mind was using somehow $_GET parameter for username and password (encrypted). Thoughts? -eddy Do you use the database for your session management? If you do, since both servers talk to the same database, it should be easy. ini_set(session.cookie_domain,.yourdomain.org); Any server on your domain will be able to read the session cookie, and if your sessions are database driven, authenticate the session ID. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] user authentication
Hi, i'm sure that it's a stupid question but i would like to have your feedback on it. i have MySQL with 2 users in the mysql database which are root and uimmense. i suppose that what i see in the password field is the sha1 crypted password. is it correct or not ? but lets continue... in fact, my web application should use a database named immense. in this database, there is a table named profiles. in this table, the login uimmense and its MD5 password are stored. the problem is : when i use mysql_connect('localhost','uimmense',myMD5password); to connect to MySQL database system, the connection is refused because the MD5 password does not correspond to what is saved into users table within mysql database... :-( here is my question : all my users registered into my immense database, should be also registered as users of MySQL database system ? (which is stored into users table, into mysql database) ? is it clear ? i do not see really realistic if everytime that a new user is registered to my application, i have to create him a profile for MySQL database. thanks a lot, Alain
RE: [PHP] user authentication
i do not see really realistic if everytime that a new user is registered to my application, i have to create him a profile for MySQL database. Is there a reason you need to have each user login into mysql individually? Most often a single login is used for the script to log into the database, and all the user authentication is handled at the PHP level. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] user authentication
[snip] i'm sure that it's a stupid question but i would like to have your feedback on it. i have MySQL with 2 users in the mysql database which are root and uimmense. i suppose that what i see in the password field is the sha1 crypted password. is it correct or not ? but lets continue... in fact, my web application should use a database named immense. in this database, there is a table named profiles. in this table, the login uimmense and its MD5 password are stored. the problem is : when i use mysql_connect('localhost','uimmense',myMD5password); to connect to MySQL database system, the connection is refused because the MD5 password does not correspond to what is saved into users table within mysql database... :-( here is my question : all my users registered into my immense database, should be also registered as users of MySQL database system ? (which is stored into users table, into mysql database) ? is it clear ? i do not see really realistic if everytime that a new user is registered to my application, i have to create him a profile for MySQL database. [/snip] This is more suitable as a MySQL question. Having said that; If you wish the user to have permissions on the MySQL database then you must grant them permissions at which time they are added to the MySQL user's database. Once they are added you must then flush the privileges so that their permissions take effect. You can do this during registration by executing these queries if the PHP user has permissions to perform grants on the database. In all likelihood the PHP user (the user which the script runs as) does not have permission to perform grants. http://www.mysql.com/grant http://www.mysql.com/flush -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Fwd: [PHP] user authentication
in fact no. i can i have 1 MySQL database system profile uimmense to connect to database. and after via a PHP script to check if my user is registered into MY database immense (checking profile and password). if it's ok, so query or stored procedure can be executed, if not, connect to DB is closed.. i was thinking to do such solution but i'm not so sure about security level :-( Alain On 4/11/06, Jay Blanchard [EMAIL PROTECTED] wrote: [snip] i'm sure that it's a stupid question but i would like to have your feedback on it. i have MySQL with 2 users in the mysql database which are root and uimmense. i suppose that what i see in the password field is the sha1 crypted password. is it correct or not ? but lets continue... in fact, my web application should use a database named immense. in this database, there is a table named profiles. in this table, the login uimmense and its MD5 password are stored. the problem is : when i use mysql_connect('localhost','uimmense',myMD5password); to connect to MySQL database system, the connection is refused because the MD5 password does not correspond to what is saved into users table within mysql database... :-( here is my question : all my users registered into my immense database, should be also registered as users of MySQL database system ? (which is stored into users table, into mysql database) ? is it clear ? i do not see really realistic if everytime that a new user is registered to my application, i have to create him a profile for MySQL database. [/snip] This is more suitable as a MySQL question. Having said that; If you wish the user to have permissions on the MySQL database then you must grant them permissions at which time they are added to the MySQL user's database. Once they are added you must then flush the privileges so that their permissions take effect. You can do this during registration by executing these queries if the PHP user has permissions to perform grants on the database. In all likelihood the PHP user (the user which the script runs as) does not have permission to perform grants. http://www.mysql.com/grant http://www.mysql.com/flush
Re: [PHP] user authentication
On Tue, April 11, 2006 10:31 am, Alain Roger wrote: i have MySQL with 2 users in the mysql database which are root and uimmense. i suppose that what i see in the password field is the sha1 crypted password. is it correct or not ? It could be SHA1, or it could be something else... It *IS* the output from the MySQL password() function which changed its internals from version to version, and which you should avoid using for that reason. but lets continue... in fact, my web application should use a database named immense. in this database, there is a table named profiles. in this table, the login uimmense and its MD5 password are stored. Let's be clear, here. Did you store: password Or did you store: 5f4dcc3b5aa765d61d8327deb882cf99 (I.E., md5('password') You should probably NOT be storing the plain-text version in your database, unless you are looking at a super-low security needs application. the problem is : when i use mysql_connect('localhost','uimmense',myMD5password); to connect to MySQL database system, the connection is refused because the MD5 password does not correspond to what is saved into users table within mysql database... :-( If you are sending in: 5f4dcc3b5aa765d61d8327deb882cf99 as the password, that is not gonna work... Here's what MySQL does (more or less): $query = SELECT pass FROM mysql.user WHERE user = '$user' AND host = '$host'; $valid_md5 = mysql_query($query) or die(mysql_error()); if (md5($pass) === $valid_md5){ //valid user } else{ //invalid user } The whole POINT of this process is that if somebody breaks into your MySQL database somehow, and they've got: 5f4dcc3b5aa765d61d8327deb882cf99 they can't USE that because they don't know the original password. So MySQL isn't looking for you to send: 5f4dcc3b5aa765d61d8327deb882cf99 You have to send the password whose md5() hash is 5f4dcc3b5aa765d61d8327deb882cf99 (Which happens to be 'password' in this case) This same technique of storing ONLY a one-way encrypted value so that the data itself is useless for logging in is used all over the place in the computer industry. here is my question : all my users registered into my immense database, should be also registered as users of MySQL database system ? (which is stored into users table, into mysql database) ? Probably not. You've got TWO levels / meanings of users here: MySQL 'user' which executes queries on behalf of your PHP scripts. Your PHP application / website has 'users' which are allows to do specific things within your PHP application -- based on whatever logic / rules YOU want to impose. Now, sometimes, there will be a correlation between these two sets of users. For example, you might set up TWO MySQL users: 'admin' 'uimmense' And your web appliation might have two different classes of users: 'visitor' 'admin' And then, in the PHP code, in the '/admin/admin.php' scripts, you'd use the 'admin' MySQL user, which has insert/update/delete permissions. But your homepage and other pages for normal visitors would use the 'visitor' user to connect, and they have only SELECT priveleges. Of course, there are some wrinkles here: Maybe the 'visitor' needs INSERT access to a 'guestbook' table so they can add comments. Or maybe the 'visitor' needs INSERT/UPDATE/DELETE on a 'session' table so you can store PHP session data in MySQL. Still, those would be exceptions to the general rule that 'visitor' only does SELECT on most tables. is it clear ? i do not see really realistic if everytime that a new user is registered to my application, i have to create him a profile for MySQL database. There might be specific applications where this would be true, like a webhost Control Panel -- though that also probably would have an even more complex MySQL-user/Site-user relationship. But, no, in general, you should not be adding a new user into mysql.user table for each registered user of a web application. You DO need to sit down and work out what classes of user you need, and what level of complexity you want to work with. *MANY* simple sites just have one user to connect to MySQL with SELECT/INSERT/UPDATE/DELETE privileges and that's it on the MySQL side. On the web application side, you'd have one or two classes of user: 'visitor' and 'admin' and only your PHP logic and authentication keeps 'admin' usage safe from all 'visitors' This is, admittedly, not quite as good a defense in depth where you have 'visitor' and 'admin' users in MySQL, but on most shared hosts, you don't really have any other options. So you test the PHP authentication very heavily, and make SURE the passwords for 'admin' users are good passwords, and build in a bit of extra protection defense in depth into the admin authentication logic. Security is not binary. It's a gradient. You have to really think hard about it, all day, every day, if you want anything more than token appearances of security -- Like Music? http://l-i-e.com/artists.htm -- PHP General
RE: [PHP] User authentication
--- Jeff McKeon [EMAIL PROTECTED] wrote: $_SESSION['userid'] = $userid; $_SESSION['userpassword'] = $userpassword; [snip] Anything look wrong or insecure with all of this? The only thing that catches my attention is your assignments for $_SESSION['userid'] and $_SESSION['userpassword']. I assume you are performing some strict data validation on $userid and $userpassword before this assignment, right? If not, this presents a significant risk, because $_SESSION is a trusted array (it comes from the server, not the client). Hope that helps. Chris Well both variables $userid and $userpassword are bounced off of a user database table, if the username/password don't match then the session variables are cleared with a session_destroy() call. Is that a good enough validation? [code begin] session_start(); if(!isset($userid)) { login_form(); exit; } else { $_SESSION['userid'] = $userid; $_SESSION['userpassword'] = $userpassword; $username = auth_user($userid, $userpassword); if(!$username) { echo user . $userid . $userpassword . Authorization failed. . You must enter a valid userid and password combo. . Click on the following link to try again.BR\n; echo A HREF=\$PHP_SELF\login/ABR; echo If you do not have login, please contact Operations to obtain one.br\n; session_destroy(); exit; } else echo welcome, $username!; echo gmmktime(); echo a href='./test_auth.php'Continue/a; echo a href='./new_ticket.php'Ticket/a; } function auth_user($userid, $userpassword) { global $default_dbname, $user_tablename; $link_id = db_connect($default_dbname); $query = SELECT username FROM $user_tablename WHERE userid = '$userid' userpassword = password('$userpassword'); $result = mysql_query($query); if(!mysql_num_rows($result)) return 0; else { $stamp = gmmktime(); $query2 = update $user_tablename set idle_time = $stamp where userid = '$userid'; $result2 = mysql_query($query2); $query3 = select CanEdit from $user_tablename where userid = '$userid'; $result3 = mysql_query($query3); $query_data3 = mysql_fetch_row($result3); $_SESSION['CanEdit'] = $query_data3[0]; $query_data=mysql_fetch_row($result); return $query_data[0]; } } [code end] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
--- Jeff McKeon [EMAIL PROTECTED] wrote: Well both variables $userid and $userpassword are bounced off of a user database table, if the username/password don't match then the session variables are cleared with a session_destroy() call. Is that a good enough validation? Yes, as long as you realize that you have now shifted the trust to those values in the database. As long as there is no way for a user to inject malicious code during the registration process (or however the username and password end up in the database), then that part should be fine. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User Authentication Continued....
Ok, I've got the user authentication thing down and now I'm continuing to build my trouble ticket tracking system. So from a customer profile page there is a link to Open Ticket which brings up a page to open a trouble ticket. [html code] HREF=./open_ticket.php?custid=$custidcustname=$custname [html code] The user is validated for permissions and timeout based on the $_SESSION variables established before the open ticket page is loaded. I then have a form that they fill in with the minimum info to create a new ticket. Some info is passed to the open ticket page from the customer profile page via a GET method and enterred into hidden form fields. [html code] HREF=./open_ticket.php?custid=$custidcustname=$custname [html code] On the open ticket page I have 2 functions, the first is a form for entering in the ticket info, the second is a function to take the information and update the database with it when the form is submitted, then reload the page with a display of the ticket info. The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } Function foo(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } [code end] Or am I way off and there is another way of doing it? Also I've noticed that when I do an mysql_query(select name from foo where name='$somevariable') I cannot use $_GET['somevariable'] or $_POST['somevariable'] in the sql string, I find I need to do a $name = $_GET['somevariable'] first and then use $name. Why is this? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Yes, I'm the one creating the accounts in the database, users can't create their own accounts nor do they have permissions to create new users. Thanks! Jeff -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 3:09 PM To: Jeff McKeon; php Subject: RE: [PHP] User authentication --- Jeff McKeon [EMAIL PROTECTED] wrote: Well both variables $userid and $userpassword are bounced off of a user database table, if the username/password don't match then the session variables are cleared with a session_destroy() call. Is that a good enough validation? Yes, as long as you realize that you have now shifted the trust to those values in the database. As long as there is no way for a user to inject malicious code during the registration process (or however the username and password end up in the database), then that part should be fine. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
I guess you would either need to make the vars global or else keep redeclaring them. Obviously, redeclaring them in each function $var=$_GET[whatever] is technically the more secure method. Kris Jeff McKeon wrote: Ok, I've got the user authentication thing down and now I'm continuing to build my trouble ticket tracking system. So from a customer profile page there is a link to Open Ticket which brings up a page to open a trouble ticket. [html code] HREF=./open_ticket.php?custid=$custidcustname=$custname [html code] The user is validated for permissions and timeout based on the $_SESSION variables established before the open ticket page is loaded. I then have a form that they fill in with the minimum info to create a new ticket. Some info is passed to the open ticket page from the customer profile page via a GET method and enterred into hidden form fields. [html code] HREF=./open_ticket.php?custid=$custidcustname=$custname [html code] On the open ticket page I have 2 functions, the first is a form for entering in the ticket info, the second is a function to take the information and update the database with it when the form is submitted, then reload the page with a display of the ticket info. The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } Function foo(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } [code end] Or am I way off and there is another way of doing it? Also I've noticed that when I do an mysql_query(select name from foo where name='$somevariable') I cannot use $_GET['somevariable'] or $_POST['somevariable'] in the sql string, I find I need to do a $name = $_GET['somevariable'] first and then use $name. Why is this? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote: The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } $_GET is a superglobal, which just means that it is always available everywhere. If you assign $custname to $_GET['custname'], you now have a regular global variable (if the assignment is done outside a function) or a local variable (if the assignment is done within a function). So, either just use $_GET['custname'] everywhere you need it, or work with the variable scope like you would have to if it was anything else. For example: 1. $foo = $_GET['foo']; 2. $foo = 'bar'; The variable scope of $foo would be the same, regardless of which of those assignments were made. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] Jeff -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 3:45 PM To: Jeff McKeon; php Subject: Re: [PHP] User Authentication Continued --- Jeff McKeon [EMAIL PROTECTED] wrote: The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } $_GET is a superglobal, which just means that it is always available everywhere. If you assign $custname to $_GET['custname'], you now have a regular global variable (if the assignment is done outside a function) or a local variable (if the assignment is done within a function). So, either just use $_GET['custname'] everywhere you need it, or work with the variable scope like you would have to if it was anything else. For example: 1. $foo = $_GET['foo']; 2. $foo = 'bar'; The variable scope of $foo would be the same, regardless of which of those assignments were made. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote: $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; $query = select * from tickets where vesselid = '{$_GET['vesselid']}' order by status desc, created asc; Note the curly braces. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote: Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] The following will work: $query= SELECT * .FROM tickets .WHERE VesselID='.$_GET['vesselid'].' .ORDER BY Status DESC, Created ASC; Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
* Thus wrote Jeff McKeon ([EMAIL PROTECTED]): Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] Enclose the var in curly brackets: $query=SELECT * from tickets where VesselID='{$_GET['vesselid']}' order Curt -- List Stats: http://zirzow.dyndns.org/html/mlists/php_general/ I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
One more mystery solved. Thanks one and all Jeff -Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 4:55 PM To: Jeff McKeon Cc: PHP-General; [EMAIL PROTECTED] Subject: RE: [PHP] User Authentication Continued On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote: Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] The following will work: $query= SELECT * .FROM tickets .WHERE VesselID='.$_GET['vesselid'].' .ORDER BY Status DESC, Created ASC; Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | a | powerful, scalable system for accessing system services | such as | forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote: $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; $query = select * from tickets where vesselid = '{$_GET['vesselid']}' order by status desc, created asc; Note the curly braces. I am trying to start making a conscious effort to alert people to potential security risks associated with certain examples. So, I should have mentioned that constructing an SQL statement with client data is terrible. While my example was only meant to illustrate how to interpolate arrays within a string, I do not want anyone to copy/paste this code and create a security vulnerability. So, what should really be done is something like this: 1. Validate $_GET['vesselid'] 2. If it is valid, $clean['vesselid'] = $_GET['vesselid'] 3. Construct the SQL statement using $clean['vesselid'] Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
Good advice! Thanks! Jeff -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 5:19 PM To: Jeff McKeon; php Subject: RE: [PHP] User Authentication Continued --- Jeff McKeon [EMAIL PROTECTED] wrote: $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; $query = select * from tickets where vesselid = '{$_GET['vesselid']}' order by status desc, created asc; Note the curly braces. I am trying to start making a conscious effort to alert people to potential security risks associated with certain examples. So, I should have mentioned that constructing an SQL statement with client data is terrible. While my example was only meant to illustrate how to interpolate arrays within a string, I do not want anyone to copy/paste this code and create a security vulnerability. So, what should really be done is something like this: 1. Validate $_GET['vesselid'] 2. If it is valid, $clean['vesselid'] = $_GET['vesselid'] 3. Construct the SQL statement using $clean['vesselid'] Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User authentication
Hey all, I'm building a website that will pull data from mysql db. No problem there. I've got a page to create users and store their info in a user table on another db. What I want to be able to do is have a user log in and then only have access to view information that his profile allows. I'm not quite sure how to do this however so I'm looking for advise to point me in the right direction. I suspect, that once validated via the login page, I need to store the users permissions in a session variable and then before each page loads, check to see if the page's permission requierments match the user requirements stored in the session's variable. Is this correct? Are there any security risks with this as this sight may one day be internet accessable. If this isn't the correct approach, what is? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, I'm not quite sure how to do this however so I'm looking for advise to point me in the right direction. I suspect, that once validated via the login page, I need to store the users permissions in a session variable and then before each page loads, check to see if the page's permission requierments match the user requirements stored in the session's variable. Is this correct? Are there any security risks with this as this sight may one day be internet accessable. If this isn't the correct approach, what is? Yes, you will need to set some session variables to hold any information you want to check. Make sure you do not store sensitive information in those though. In a site I just built, we are only storing the user's name, user id number, and access level. The site then checks every 60 seconds to see if they are idle. I track the session login times in a mysql table, and have it do the math on how long they've been idle. This isn't really a common method from what I've seen though, and your security requirements might be a bit different. Our client wants the the site to log the EU out if they've been idle for 15 minutes. Some people just let PHP time out the session, then when they go to click on something, it boots them back to the login page. Just remember to check for an active session each time a secure page loads. Otherwise you'll have people bypassing login page. For restricting what is shown on the page, there are many methods. IF structures, etc, just make sure are checking their access against what is shown. Does that help? -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Dan, That's great help and exactly what I'd like to do timeouts and all. I now just need to figure out he mechanics of the code for it and get a better understanding of sessions. I'm thinking in the user table I'll have a bunch of boolean fields for different permissions that apply to different pages etc. To keep it simple at first I'll just have two permissions read only and edit. Read only users will not be allowed to access pages where they can edit data. How do you check for idle? I suppose there is a built in variable that you check against the value in the table. How do I pull up or refer to session variables? Thank, Jeff -Original Message- From: Dan Joseph [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:15 AM To: php Subject: RE: [PHP] User authentication Hi, I'm not quite sure how to do this however so I'm looking for advise to point me in the right direction. I suspect, that once validated via the login page, I need to store the users permissions in a session variable and then before each page loads, check to see if the page's permission requierments match the user requirements stored in the session's variable. Is this correct? Are there any security risks with this as this sight may one day be internet accessable. If this isn't the correct approach, what is? Yes, you will need to set some session variables to hold any information you want to check. Make sure you do not store sensitive information in those though. In a site I just built, we are only storing the user's name, user id number, and access level. The site then checks every 60 seconds to see if they are idle. I track the session login times in a mysql table, and have it do the math on how long they've been idle. This isn't really a common method from what I've seen though, and your security requirements might be a bit different. Our client wants the the site to log the EU out if they've been idle for 15 minutes. Some people just let PHP time out the session, then when they go to click on something, it boots them back to the login page. Just remember to check for an active session each time a secure page loads. Otherwise you'll have people bypassing login page. For restricting what is shown on the page, there are many methods. IF structures, etc, just make sure are checking their access against what is shown. Does that help? -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, That's great help and exactly what I'd like to do timeouts and all. I now just need to figure out he mechanics of the code for it and get a better understanding of sessions. I'm thinking in the user table I'll have a bunch of boolean fields for different permissions that apply to different pages etc. To keep it simple at first I'll just have two permissions read only and edit. Read only users will not be allowed to access pages where they can edit data. How do you check for idle? I suppose there is a built in variable that you check against the value in the table. How do I pull up or refer to session variables? Sessions are stored in the $_SESSION array. A simple check would be: if ($_SESSION['user_id'] == || is_null($_SESSION['user_id'])) redirect_to_index_function(); Where 'user_id' is, that would be the name of the session you created. Just insert that at the top of each page (might be best suited in an include file). -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, How do you check for idle? I suppose there is a built in variable that you check against the value in the table. How do I pull up or refer to session variables? Additionally, I also check to see if the date_out column in my sessions table is -00-00 00:00:00, if not, I boot 'em and do a session_destroy();. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Thanks for the advise! It's a big help. I'll go play now and come back with more intelligent questions later! Jeff -Original Message- From: Dan Joseph [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:32 AM To: Jeff McKeon; Dan Joseph; php Subject: RE: [PHP] User authentication Hi, That's great help and exactly what I'd like to do timeouts and all. I now just need to figure out he mechanics of the code for it and get a better understanding of sessions. I'm thinking in the user table I'll have a bunch of boolean fields for different permissions that apply to different pages etc. To keep it simple at first I'll just have two permissions read only and edit. Read only users will not be allowed to access pages where they can edit data. How do you check for idle? I suppose there is a built in variable that you check against the value in the table. How do I pull up or refer to session variables? Sessions are stored in the $_SESSION array. A simple check would be: if ($_SESSION['user_id'] == || is_null($_SESSION['user_id'])) redirect_to_index_function(); Where 'user_id' is, that would be the name of the session you created. Just insert that at the top of each page (might be best suited in an include file). -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
What is stored in the date_out column? Is that one of the colums in your own created table or a standard one? Jeff -Original Message- From: Dan Joseph [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:34 AM To: php Subject: RE: [PHP] User authentication Hi, How do you check for idle? I suppose there is a built in variable that you check against the value in the table. How do I pull up or refer to session variables? Additionally, I also check to see if the date_out column in my sessions table is -00-00 00:00:00, if not, I boot 'em and do a session_destroy();. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User authentication
* Thus wrote Dan Joseph ([EMAIL PROTECTED]): Hi, That's great help and exactly what I'd like to do timeouts and all. I now just need to figure out he mechanics of the code for it and get a better understanding of sessions. I'm thinking in the user table I'll have a bunch of boolean fields for different permissions that apply to different pages etc. To keep it simple at first I'll just have two permissions read only and edit. Read only users will not be allowed to access pages where they can edit data. How do you check for idle? I suppose there is a built in variable that you check against the value in the table. How do I pull up or refer to session variables? Sessions are stored in the $_SESSION array. A simple check would be: if ($_SESSION['user_id'] == || is_null($_SESSION['user_id'])) redirect_to_index_function(); Where 'user_id' is, that would be the name of the session you created. Just insert that at the top of each page (might be best suited in an include file). I would suggest a require(), that way if the file can't be included the script will fail at the require. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, What is stored in the date_out column? Is that one of the colums in your own created table or a standard one? That's the SQL table that I use to track sessions. Its one I created. I have a functon that does a simple SQL query: SELECT date_out FROM sessions WHERE user_id = 12 Then I check to see if if date_out != -00-00 00:00:00 and log them out if it doesn't. This method is both good and bad. (1) I have a master log of all user logins. (2) I can force a user to log out. Overall, it was just more work on the sessions. I guess I'd recommend this method if you have to keep strong security in mind. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Ok, I've got a login page that has these funtions to set the userid and password to session variables [code start] session_start(); if(!isset($userid)) { login_form(); exit; } else { session_register(userid, userpassword); $username = auth_user($userid, $userpassword); if(!$username) { session_unregister(userid); session_unregister(userpassword); echo Authorization failed. . You must enter a valid userid and password combo. . Click on the following link to try again.BR\n; echo A HREF=\$PHP_SELF\login/ABR; echo If you do not have login, please contact Operations to obtain one.br\n; exit; } else echo welcome, $username!; } [code end] I then have a simple test page with the following code... [code start] ?php include ./register_functions.php; if($_SESSION['userid'] == 'bob'){ Echo $_SESSION['userid']; EchoAccess Denied Bobby boy!!!; } else { echoOK, since it's not Bob, it's ok; } html_footer(); [code end] The problem is that the $_SESSION['userid'] doesn't return anything on this page.. Am I not calling the session variable correctly or not storing it correctly? In my php.ini I have globals turned off. Does this effect it? Thanks, Jeff -Original Message- From: Dan Joseph [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:39 AM To: php Subject: RE: [PHP] User authentication Hi, What is stored in the date_out column? Is that one of the colums in your own created table or a standard one? That's the SQL table that I use to track sessions. Its one I created. I have a functon that does a simple SQL query: SELECT date_out FROM sessions WHERE user_id = 12 Then I check to see if if date_out != -00-00 00:00:00 and log them out if it doesn't. This method is both good and bad. (1) I have a master log of all user logins. (2) I can force a user to log out. Overall, it was just more work on the sessions. I guess I'd recommend this method if you have to keep strong security in mind. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, The problem is that the $_SESSION['userid'] doesn't return anything on this page.. Am I not calling the session variable correctly or not storing it correctly? In my php.ini I have globals turned off. Does this effect it? Hi, yeah, its my understanding (and someone can correct me if I am wrong..) that if you have that turned off, then you can't use session_register(). Instead, do $_SESSION['userid'] = 10; and see if that works. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
On 02 October 2003 17:27, Jeff McKeon wrote: Ok, I've got a login page that has these funtions to set the userid and password to session variables [code start] session_start(); if(!isset($userid)) { login_form(); exit; } else { session_register(userid, userpassword); $username = auth_user($userid, $userpassword); if(!$username) { session_unregister(userid); session_unregister(userpassword); echo Authorization failed. . You must enter a valid userid and password combo. . Click on the following link to try again.BR\n; echo A HREF=\$PHP_SELF\login/ABR; echo If you do not have login, please contact Operations to obtain one.br\n; exit; } else echo welcome, $username!; } [code end] I then have a simple test page with the following code... [code start] ?php include ./register_functions.php; if($_SESSION['userid'] == 'bob'){ Echo $_SESSION['userid']; EchoAccess Denied Bobby boy!!!; } else { echoOK, since it's not Bob, it's ok; } html_footer(); [code end] The problem is that the $_SESSION['userid'] doesn't return anything on this page.. Am I not calling the session variable correctly or not storing it correctly? In my php.ini I have globals turned off. Does this effect it? (1) I don't see a session_start() on the second page (unless it's in register_functions.php?). (2) I would advise not mixing $_SESSION and session_register() -- it's problematical in some situations. Just stick to using the $_SESSION array. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, (1) I don't see a session_start() on the second page (unless it's in register_functions.php?). Old habbits die hard. You have no idea how many times I forget to put this at the top of a page. Thanks for pointing that out. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
On 02 October 2003 17:27, Jeff McKeon wrote: Ok, I've got a login page that has these funtions to set the userid and password to session variables [code start] session_start(); if(!isset($userid)) { login_form(); exit; } else { session_register(userid, userpassword); $username = auth_user($userid, $userpassword); if(!$username) { session_unregister(userid); session_unregister(userpassword); echo Authorization failed. . You must enter a valid userid and password combo. . Click on the following link to try again.BR\n; echo A HREF=\$PHP_SELF\login/ABR; echo If you do not have login, please contact Operations to obtain one.br\n; exit; } else echo welcome, $username!; } [code end] I then have a simple test page with the following code... [code start] ?php include ./register_functions.php; if($_SESSION['userid'] == 'bob'){ Echo $_SESSION['userid']; EchoAccess Denied Bobby boy!!!; } else { echoOK, since it's not Bob, it's ok; } html_footer(); [code end] The problem is that the $_SESSION['userid'] doesn't return anything on this page.. Am I not calling the session variable correctly or not storing it correctly? In my php.ini I have globals turned off. Does this effect it? (1) I don't see a session_start() on the second page (unless it's in register_functions.php?). OK, including session_start(); at the top of the test_auth.php page worked. (2) I would advise not mixing $_SESSION and session_register() -- it's problematical in some situations. Just stick to using the $_SESSION array. I'm not quite sure what you mean here, can you give an example or elaborate. Sorry, real newbie here... :o) Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User authentication
On Friday 03 October 2003 01:50, Jeff McKeon wrote: (2) I would advise not mixing $_SESSION and session_register() -- it's problematical in some situations. Just stick to using the $_SESSION array. I'm not quite sure what you mean here, can you give an example or elaborate. Sorry, real newbie here... :o) Examples and elaboration: manual Session handling functions -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* According to all the latest reports, there was no truth in any of the earlier reports. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, What is stored in the date_out column? Is that one of the colums in your own created table or a standard one? That's the SQL table that I use to track sessions. Its one I created. I have a functon that does a simple SQL query: SELECT date_out FROM sessions WHERE user_id = 12 Then I check to see if if date_out != -00-00 00:00:00 and log them out if it doesn't. This method is both good and bad. (1) I have a master log of all user logins. (2) I can force a user to log out. Overall, it was just more work on the sessions. I guess I'd recommend this method if you have to keep strong security in mind. So when a user logs in you write a user_id and datestamp to a field in your sessions table. Every time the person accesses a page you update the datestamp in that record. Then you run a function that checks every X minutes if the timestamp is older than X minutes and if so you log the person out? Is this correct? How exactly do you log them out? By issuing a command to clear the session variables saved during login, thus causing function on each page that checks for valid login to fail? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User authentication
On Friday 03 October 2003 01:59, Jeff McKeon wrote: So when a user logs in you write a user_id and datestamp to a field in your sessions table. Every time the person accesses a page you update the datestamp in that record. Then you run a function that checks every X minutes if the timestamp is older than X minutes and if so you log the person out? Is this correct? Wrong order. First, check whether timestamp is past it's sell by date, if so destroy the session then redirect them to the login page, otherwise refresh the timestamp. How exactly do you log them out? By issuing a command to clear the session variables saved during login, thus causing function on each page that checks for valid login to fail? Yes. session_destroy(). -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* How do I love thee? My accumulator overflows. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, So when a user logs in you write a user_id and datestamp to a field in your sessions table. Every time the person accesses a page you update the datestamp in that record. Then you run a function that checks every X minutes if the timestamp is older than X minutes and if so you log the person out? Is this correct? How exactly do you log them out? By issuing a command to clear the session variables saved during login, thus causing function on each page that checks for valid login to fail? Yeah, that's correct. There is a date_idle column in the database. That gets updated everytime they move to a new page, or refresh the one they are on. To time them out, I simply set the date_out column = Now(), issue a session_destroy() and redirect them back to the login page. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, (2) I would advise not mixing $_SESSION and session_register() -- it's problematical in some situations. Just stick to using the $_SESSION array. I'm not quite sure what you mean here, can you give an example or elaborate. Sorry, real newbie here... :o) $_SESSION['userid'] = 254; Where 254 is, that is the value you want to assign it. Its just an array. Think of it more as a global variable accross the entire site. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User authentication
for those of you who are writing apps and looking at this and you have customers adding things to their session such as a cart or something else and you destroy the session the information that they were keeping in their session would be lost so if you dont want pissed off customers calling saying they lost something after leaving their desk for a few minutes then you want to make sure that the information such as cart or whatever is stored elsewhere and has their user id tied to it. So when your laying out your site, and your destroying sessions make sure that unless that is the designed intent (such as login information) that your arent destroying something more imporatant like someones shopping cart filling with $3000 worth of merch, yes I know with exchange rate thats only worth $.25 to Americans. Yes. session_destroy(). -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* How do I love thee? My accumulator overflows. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
includepunctuation; Jeff -Original Message- From: Didier McGillis [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 2:36 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] User authentication for those of you who are writing apps and looking at this and you have customers adding things to their session such as a cart or something else and you destroy the session the information that they were keeping in their session would be lost so if you dont want pissed off customers calling saying they lost something after leaving their desk for a few minutes then you want to make sure that the information such as cart or whatever is stored elsewhere and has their user id tied to it. So when your laying out your site, and your destroying sessions make sure that unless that is the designed intent (such as login information) that your arent destroying something more imporatant like someones shopping cart filling with $3000 worth of merch, yes I know with exchange rate thats only worth $.25 to Americans. Yes. session_destroy(). -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* How do I love thee? My accumulator overflows. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, (2) I would advise not mixing $_SESSION and session_register() -- it's problematical in some situations. Just stick to using the $_SESSION array. I'm not quite sure what you mean here, can you give an example or elaborate. Sorry, real newbie here... :o) $_SESSION['userid'] = 254; Where 254 is, that is the value you want to assign it. Its just an array. Think of it more as a global variable accross the entire site. -Dan Joseph So I've replaced my session_register(userid, userpassword); With $_SESSION['userid'] = $userid; $_SESSION['userpassword'] = $userpassword; And my: session_unregister(userid); session_unregister(userpassword); With Session_destroy(); I've also added a field to the user table called CanEdit that is set to 1 or 0. When the authentication function is called, I run a query that updates the users idle timestamp, get's his/her CanEdit value and stores it to $_SESSION['CanEdit'], and returns the username. [code begin] function auth_user($userid, $userpassword) { global $default_dbname, $user_tablename; $link_id = db_connect($default_dbname); $query = SELECT username FROM $user_tablename WHERE userid = '$userid' userpassword = password('$userpassword'); $result = mysql_query($query); if(!mysql_num_rows($result)) return 0; else { //set idle timestamp (using unixtime) $stamp = gmmktime(); $query2 = update $user_tablename set idle_time = $stamp where userid = '$userid'; $result2 = mysql_query($query2); //get the users CanEdit value $query3 = select CanEdit from $user_tablename where userid = '$userid'; $result3 = mysql_query($query3); $query_data3 = mysql_fetch_row($result3); $_SESSION['CanEdit'] = $query_data3[0]; //Return the users name to the calling page $query_data=mysql_fetch_row($result); return $query_data[0]; } } [code end] Then when any new page loads it first checks to see if the user has a CanEdit value of 1, if not it boots them back to the page they came from, if so it runs a query to check their idle timestamp and subtrack it from the current unixtimestamp to find the difference. If it's greater than X they are booted back to the login screen, if it's less than X the page is loaded.. Anything look wrong or insecure with all of this? Thanks for all the help!!! jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
Hi, Then when any new page loads it first checks to see if the user has a CanEdit value of 1, if not it boots them back to the page they came from, if so it runs a query to check their idle timestamp and subtrack it from the current unixtimestamp to find the difference. If it's greater than X they are booted back to the login screen, if it's less than X the page is loaded.. Anything look wrong or insecure with all of this? This is how I'm doing it. We had it auditted by a security company. It passed with flying colors. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User authentication
--- Jeff McKeon [EMAIL PROTECTED] wrote: $_SESSION['userid'] = $userid; $_SESSION['userpassword'] = $userpassword; [snip] Anything look wrong or insecure with all of this? The only thing that catches my attention is your assignments for $_SESSION['userid'] and $_SESSION['userpassword']. I assume you are performing some strict data validation on $userid and $userpassword before this assignment, right? If not, this presents a significant risk, because $_SESSION is a trusted array (it comes from the server, not the client). Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User Authentication
Hi, Using the following code I am able to authenticate which type of user is visiting my page, however if I try to log in again with a different type of user the session variables still assume that the original user was logged in, is there a way to reset the session variables, I have tried session_destroy() and session_unset() but without success... ?php require(dbconnect.php); // Assume user is not authenticated $auth = false; // Formulate the query $query = SELECT * FROM WMS_User WHERE User_Username = '$_POST[username]' AND User_Password = '$_POST[password]'; // Execute the query and put results in $result $result = mysql_query( $query ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; //get the data for the session variables $suser_name = mysql_result($result, 0, User_Name); $suser_password = mysql_result($result, 0, User_Password); $stype_level = mysql_result($result, 0, User_Type); $ses_name = $suser_name; $ses_pass = $suser_password; $ses_level = $stype_level; session_register(ses_name); session_register(ses_pass); session_register(ses_level); } //if user isn't authenticated redirect to appropriate page if ( ! $auth ) { include(index.php); exit; } //if user is authenticated, include the main menu else{ include(home.php); } //close connection mysql_close(); ? thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
--- shaun [EMAIL PROTECTED] wrote: Using the following code I am able to authenticate which type of user is visiting my page, however if I try to log in again with a different type of user the session variables still assume that the original user was logged in, is there a way to reset the session variables, I have tried session_destroy() and session_unset() but without success... ?php require(dbconnect.php); // Assume user is not authenticated $auth = false; // Formulate the query $query = SELECT * FROM WMS_User WHERE User_Username = '$_POST[username]' AND User_Password = '$_POST[password]'; // Execute the query and put results in $result $result = mysql_query( $query ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; //get the data for the session variables $suser_name = mysql_result($result, 0, User_Name); $suser_password = mysql_result($result, 0, User_Password); $stype_level = mysql_result($result, 0, User_Type); $ses_name = $suser_name; $ses_pass = $suser_password; $ses_level = $stype_level; session_register(ses_name); session_register(ses_pass); session_register(ses_level); This is the moment where you lose your new session data. You need to register your session variables before you use them. At this point, PHP retrieves the session data that is saved for you, and you lose all of the stuff you did above. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
Chris Shiflett [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] --- shaun [EMAIL PROTECTED] wrote: Using the following code I am able to authenticate which type of user is visiting my page, however if I try to log in again with a different type of user the session variables still assume that the original user was logged in, is there a way to reset the session variables, I have tried session_destroy() and session_unset() but without success... ?php require(dbconnect.php); // Assume user is not authenticated $auth = false; // Formulate the query $query = SELECT * FROM WMS_User WHERE User_Username = '$_POST[username]' AND User_Password = '$_POST[password]'; // Execute the query and put results in $result $result = mysql_query( $query ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; //get the data for the session variables $suser_name = mysql_result($result, 0, User_Name); $suser_password = mysql_result($result, 0, User_Password); $stype_level = mysql_result($result, 0, User_Type); $ses_name = $suser_name; $ses_pass = $suser_password; $ses_level = $stype_level; session_register(ses_name); session_register(ses_pass); session_register(ses_level); This is the moment where you lose your new session data. You need to register your session variables before you use them. At this point, PHP retrieves the session data that is saved for you, and you lose all of the stuff you did above. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ sorry but you have lost me, surely the session_register(); function is storing what I have done above this point, if not then how would I store the new values instead? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
use: $_SESSION['ses_name'] = 'something'; $_SESSION['ses_pass'] = 'something'; $_SESSION['ses_level'] = 'something'; instead of: session_register(ses_name); session_register(ses_pass); session_register(ses_level); All $_SESSION entries are automatically registered. See the following for more info http://us2.php.net/manual/en/security.registerglobals.php http://us2.php.net/manual/en/function.session-register.php olinux --- shaun [EMAIL PROTECTED] wrote: Chris Shiflett [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] --- shaun [EMAIL PROTECTED] wrote: Using the following code I am able to authenticate which type of user is visiting my page, however if I try to log in again with a different type of user the session variables still assume that the original user was logged in, is there a way to reset the session variables, I have tried session_destroy() and session_unset() but without success... ?php require(dbconnect.php); // Assume user is not authenticated $auth = false; // Formulate the query $query = SELECT * FROM WMS_User WHERE User_Username = '$_POST[username]' AND User_Password = '$_POST[password]'; // Execute the query and put results in $result $result = mysql_query( $query ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; //get the data for the session variables $suser_name = mysql_result($result, 0, User_Name); $suser_password = mysql_result($result, 0, User_Password); $stype_level = mysql_result($result, 0, User_Type); $ses_name = $suser_name; $ses_pass = $suser_password; $ses_level = $stype_level; session_register(ses_name); session_register(ses_pass); session_register(ses_level); This is the moment where you lose your new session data. You need to register your session variables before you use them. At this point, PHP retrieves the session data that is saved for you, and you lose all of the stuff you did above. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ sorry but you have lost me, surely the session_register(); function is storing what I have done above this point, if not then how would I store the new values instead? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
--- shaun [EMAIL PROTECTED] wrote: ... $ses_name = $suser_name; $ses_pass = $suser_password; $ses_level = $stype_level; session_register(ses_name); session_register(ses_pass); session_register(ses_level); This is the moment where you lose your new session data. You need to register your session variables before you use them. At this point, PHP retrieves the session data that is saved for you, and you lose all of the stuff you did above. ... sorry but you have lost me, surely the session_register(); function is storing what I have done above this point, if not then how would I store the new values instead? How is a function supposed to do anything before it is called? I don't understand how you come to that conclusion. The session_register() function lets PHP know that you want a particular variable registered in the current session. If the variable already exists, it will retrieve it for you. This is how you are able to use a session variable on another page. If you don't udnerstand this, you might want to just use session_register() at the top of your script(s) to keep yourself from making this particular mistake. However, I strongly suggest researching sessions a lot more, or you will find it frustratingly difficult to solve session problems without a good understanding of what is going on. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
i have changed the code to: Olinux [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] use: $_SESSION['ses_name'] = 'something'; $_SESSION['ses_pass'] = 'something'; $_SESSION['ses_level'] = 'something'; instead of: session_register(ses_name); session_register(ses_pass); session_register(ses_level); All $_SESSION entries are automatically registered. See the following for more info http://us2.php.net/manual/en/security.registerglobals.php http://us2.php.net/manual/en/function.session-register.php olinux --- shaun [EMAIL PROTECTED] wrote: Chris Shiflett [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] --- shaun [EMAIL PROTECTED] wrote: Using the following code I am able to authenticate which type of user is visiting my page, however if I try to log in again with a different type of user the session variables still assume that the original user was logged in, is there a way to reset the session variables, I have tried session_destroy() and session_unset() but without success... ?php require(dbconnect.php); // Assume user is not authenticated $auth = false; // Formulate the query $query = SELECT * FROM WMS_User WHERE User_Username = '$_POST[username]' AND User_Password = '$_POST[password]'; // Execute the query and put results in $result $result = mysql_query( $query ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; //get the data for the session variables $suser_name = mysql_result($result, 0, User_Name); $suser_password = mysql_result($result, 0, User_Password); $stype_level = mysql_result($result, 0, User_Type); $ses_name = $suser_name; $ses_pass = $suser_password; $ses_level = $stype_level; session_register(ses_name); session_register(ses_pass); session_register(ses_level); This is the moment where you lose your new session data. You need to register your session variables before you use them. At this point, PHP retrieves the session data that is saved for you, and you lose all of the stuff you did above. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ sorry but you have lost me, surely the session_register(); function is storing what I have done above this point, if not then how would I store the new values instead? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
i have changed the code to: //register the session variables $_SESSION['ses_name'] = mysql_result($result, 0, User_Name); $_SESSION['ses_pass'] = mysql_result($result, 0, User_Password); $_SESSION['ses_level'] = mysql_result($result, 0, User_Type); but if i try to log in again the session variables don't change, any ideas? Olinux [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] use: $_SESSION['ses_name'] = 'something'; $_SESSION['ses_pass'] = 'something'; $_SESSION['ses_level'] = 'something'; instead of: session_register(ses_name); session_register(ses_pass); session_register(ses_level); All $_SESSION entries are automatically registered. See the following for more info http://us2.php.net/manual/en/security.registerglobals.php http://us2.php.net/manual/en/function.session-register.php olinux --- shaun [EMAIL PROTECTED] wrote: Chris Shiflett [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] --- shaun [EMAIL PROTECTED] wrote: Using the following code I am able to authenticate which type of user is visiting my page, however if I try to log in again with a different type of user the session variables still assume that the original user was logged in, is there a way to reset the session variables, I have tried session_destroy() and session_unset() but without success... ?php require(dbconnect.php); // Assume user is not authenticated $auth = false; // Formulate the query $query = SELECT * FROM WMS_User WHERE User_Username = '$_POST[username]' AND User_Password = '$_POST[password]'; // Execute the query and put results in $result $result = mysql_query( $query ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; //get the data for the session variables $suser_name = mysql_result($result, 0, User_Name); $suser_password = mysql_result($result, 0, User_Password); $stype_level = mysql_result($result, 0, User_Type); $ses_name = $suser_name; $ses_pass = $suser_password; $ses_level = $stype_level; session_register(ses_name); session_register(ses_pass); session_register(ses_level); This is the moment where you lose your new session data. You need to register your session variables before you use them. At this point, PHP retrieves the session data that is saved for you, and you lose all of the stuff you did above. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ sorry but you have lost me, surely the session_register(); function is storing what I have done above this point, if not then how would I store the new values instead? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP: User Authentication Script
Thank you for the reply Farianto. Exactly where in the httpd.conf file should I insert that line? If you could copy and paste the line *above* and *below* in the httpd.conf file that already exists so I know the location I would appreciate it. Thanks again. TR for example: # blahblah1 Load Module PHP4_Module c:/Apache/php/sapi/php4apache.dll // insert this line # blahblah2 .. - Original Message - From: Farianto Kurniawan [EMAIL PROTECTED] To: Anthony Ritter [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 26, 2002 10:36 PM Subject: Re: [PHP] PHP: User Authentication Script ...hello .. Mr.Anthony Ritter .. Actually I have faced the same problem with you but right now I can fix it . What you must do is : 1. Turn off your Apache Web Server 2. Edit your httpd.conf file from folder conf under Apache folder. 3. Please add this sentence -- LoadModule php4_module c:/Apache/php/sapi/php4apache.dll -- in it. (the important thing that php4apache.dll is in that directory , if itsn't change it to the right position. 4. Save it 5. Turn Your Apache Web Server on. I hope it can work know... Regards, Farianto.K PT.Yosibara Inti Corpora Phone: 62-21-5267645/46 Indonesia -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP: User Authentication Script
You can insert the line at the very end of your httpd.conf file... I'm sure you can find more info here... http://www.php.net/manual/en/install.windows.php - E Thank you for the reply Farianto. Exactly where in the httpd.conf file should I insert that line? If you could copy and paste the line *above* and *below* in the httpd.conf file that already exists so I know the location I would appreciate it. Thanks again. TR for example: # blahblah1 Load Module PHP4_Module c:/Apache/php/sapi/php4apache.dll // insert this line # blahblah2 .. - Original Message - From: Farianto Kurniawan [EMAIL PROTECTED] To: Anthony Ritter [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 26, 2002 10:36 PM Subject: Re: [PHP] PHP: User Authentication Script ...hello .. Mr.Anthony Ritter .. Actually I have faced the same problem with you but right now I can fix it . What you must do is : 1. Turn off your Apache Web Server 2. Edit your httpd.conf file from folder conf under Apache folder. 3. Please add this sentence -- LoadModule php4_module c:/Apache/php/sapi/php4apache.dll -- in it. (the important thing that php4apache.dll is in that directory , if itsn't change it to the right position. 4. Save it 5. Turn Your Apache Web Server on. I hope it can work know... Regards, Farianto.K PT.Yosibara Inti Corpora Phone: 62-21-5267645/46 Indonesia -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ $B2q0wEPO?$OL5NA!&=<<B$7$?=PIJ%"%$%F%`$J$i(B MSN $B%*!<%/%7%g%s(B http://auction.msn.co.jp/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP: User Authentication Script
Sounds like you've identified your problem. I have never installed a module but you can check out http://www.apache.org/ for some help installing modules on the Apache server. I believe it involves compiling the server, for Windows platforms I believe you need Visual C++ 6.0. If that is to technically demanding you can checkout several pre-packaged distributions of Apache, PHP, MySQL, Perl and the like, looking for one where PHP is installed as a Mod (don't personally know of any). For a fairly complete list of packages check out; http://www.hotscripts.com/PHP/Software_and_Servers/Installation_Kits/ Sooner, or later, you will probably reach a point where it will become more expedient for you to write your own authentication, which is what most application developers do. This has the advantage of allowing you to set up your application security independent of your server or database security. hope this helps, Warren Vail Tools, Metrics Quality Processes -Original Message- From: Anthony Ritter [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 8:02 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] PHP: User Authentication Script In my phpinfo() I get: php version 4.0.0 Server_APICGI .. Is this why it is not working? If so, how does one install PHP as a module? Please advise. Thank you. TR ... Warren Vail wrote in message: http://www.php.net/manual/en/features.http-auth.php also mentions that http auth does not work when running php as a CGI, which may also give these symptoms. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP: User Authentication Script
Using Apache / Windows 98 / PHP / mySQL The following script is from Julie Meloni's book PHP Essentials (PrimaTech) on page 138. I've copied the script from her site and tried to run it and get the following: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. -- Apache/1.3.12 Server at localhost Port 80 --- The following is the script: ? if (!isset($PHP_AUTH_USER)) header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } else if (($PHP_AUTH_USER == jane) ($PHP_AUTH_PW == mypassword)) echo PYou have entered this username: $PHP_AUTH_USERbr; echo You have entered this password: $PHP_AUTH_PWbr; echo The authorization type is: $PHP_AUTH_TYPE./p; } else echo You are not authorized!; } } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP: User Authentication Script
What does your apache server log say? Warren Vail Tools, Metrics Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 -Original Message- From: Anthony Ritter [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 6:51 PM To: [EMAIL PROTECTED] Subject: [PHP] PHP: User Authentication Script Using Apache / Windows 98 / PHP / mySQL The following script is from Julie Meloni's book PHP Essentials (PrimaTech) on page 138. I've copied the script from her site and tried to run it and get the following: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. -- Apache/1.3.12 Server at localhost Port 80 --- The following is the script: ? if (!isset($PHP_AUTH_USER)) header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } else if (($PHP_AUTH_USER == jane) ($PHP_AUTH_PW == mypassword)) echo PYou have entered this username: $PHP_AUTH_USERbr; echo You have entered this password: $PHP_AUTH_PWbr; echo The authorization type is: $PHP_AUTH_TYPE./p; } else echo You are not authorized!; } } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP: User Authentication Script
Thanks for the reply Warren. It says... [Mon Aug 26 20:46:13 2002] [error] [client 127.0.0.1] malformed header from script. Bad header=HTTP/1.0 401 Unauthorized: c:/php4/php.exe ... - Original Message - From: Vail, Warren [EMAIL PROTECTED] To: 'Anthony Ritter' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 26, 2002 7:49 PM Subject: RE: [PHP] PHP: User Authentication Script What does your apache server log say? Warren Vail Tools, Metrics Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 . -Original Message- From: Anthony Ritter [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 6:51 PM To: [EMAIL PROTECTED] Subject: [PHP] PHP: User Authentication Script Using Apache / Windows 98 / PHP / mySQL The following script is from Julie Meloni's book PHP Essentials (PrimaTech) on page 138. I've copied the script from her site and tried to run it and get the following: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. -- Apache/1.3.12 Server at localhost Port 80 --- The following is the script: ? if (!isset($PHP_AUTH_USER)) header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } else if (($PHP_AUTH_USER == jane) ($PHP_AUTH_PW == mypassword)) echo PYou have entered this username: $PHP_AUTH_USERbr; echo You have entered this password: $PHP_AUTH_PWbr; echo The authorization type is: $PHP_AUTH_TYPE./p; } else echo You are not authorized!; } } ? Warren Vail [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What does your apache server log say? Warren Vail Tools, Metrics Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 -Original Message- From: Anthony Ritter [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 6:51 PM To: [EMAIL PROTECTED] Subject: [PHP] PHP: User Authentication Script Using Apache / Windows 98 / PHP / mySQL The following script is from Julie Meloni's book PHP Essentials (PrimaTech) on page 138. I've copied the script from her site and tried to run it and get the following: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. -- Apache/1.3.12 Server at localhost Port 80 --- The following is the script: ? if (!isset($PHP_AUTH_USER)) header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } else if (($PHP_AUTH_USER == jane) ($PHP_AUTH_PW == mypassword)) echo PYou have entered this username: $PHP_AUTH_USERbr; echo You have entered this password: $PHP_AUTH_PWbr; echo The authorization type is: $PHP_AUTH_TYPE./p; } else echo You are not authorized!; } } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP: User Authentication Script
Was this before supplying the password or after? I believe this log entry may be normal when authentication fails. I also believe the message you got on your browser means that the 401 error page is missing from your apache installation. http://www.php.net/manual/en/features.http-auth.php also mentions that http auth does not work when running php as a CGI, which may also give these symptoms. Warren Vail Tools, Metrics Quality Processes -Original Message- From: Anthony Ritter [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 7:27 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] PHP: User Authentication Script Thanks for the reply Warren. It says... [Mon Aug 26 20:46:13 2002] [error] [client 127.0.0.1] malformed header from script. Bad header=HTTP/1.0 401 Unauthorized: c:/php4/php.exe ... - Original Message - From: Vail, Warren [EMAIL PROTECTED] To: 'Anthony Ritter' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 26, 2002 7:49 PM Subject: RE: [PHP] PHP: User Authentication Script What does your apache server log say? Warren Vail Tools, Metrics Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 . -Original Message- From: Anthony Ritter [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 6:51 PM To: [EMAIL PROTECTED] Subject: [PHP] PHP: User Authentication Script Using Apache / Windows 98 / PHP / mySQL The following script is from Julie Meloni's book PHP Essentials (PrimaTech) on page 138. I've copied the script from her site and tried to run it and get the following: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. -- Apache/1.3.12 Server at localhost Port 80 --- The following is the script: ? if (!isset($PHP_AUTH_USER)) header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } else if (($PHP_AUTH_USER == jane) ($PHP_AUTH_PW == mypassword)) echo PYou have entered this username: $PHP_AUTH_USERbr; echo You have entered this password: $PHP_AUTH_PWbr; echo The authorization type is: $PHP_AUTH_TYPE./p; } else echo You are not authorized!; } } ? Warren Vail [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What does your apache server log say? Warren Vail Tools, Metrics Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 -Original Message- From: Anthony Ritter [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 6:51 PM To: [EMAIL PROTECTED] Subject: [PHP] PHP: User Authentication Script Using Apache / Windows 98 / PHP / mySQL The following script is from Julie Meloni's book PHP Essentials (PrimaTech) on page 138. I've copied the script from her site and tried to run it and get the following: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. -- Apache/1.3.12 Server at localhost Port 80 --- The following is the script: ? if (!isset($PHP_AUTH_USER)) header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } else if (($PHP_AUTH_USER == jane) ($PHP_AUTH_PW == mypassword)) echo PYou have entered this username: $PHP_AUTH_USERbr; echo You have entered this password: $PHP_AUTH_PWbr; echo The authorization type is: $PHP_AUTH_TYPE./p; } else echo You are not authorized!; } } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP: User Authentication Script
In my phpinfo() I get: php version 4.0.0 Server_APICGI .. Is this why it is not working? If so, how does one install PHP as a module? Please advise. Thank you. TR ... Warren Vail wrote in message: http://www.php.net/manual/en/features.http-auth.php also mentions that http auth does not work when running php as a CGI, which may also give these symptoms. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP: User Authentication Script
...hello .. Mr.Anthony Ritter .. Actually I have faced the same problem with you but right now I can fix it . What you must do is : 1. Turn off your Apache Web Server 2. Edit your httpd.conf file from folder conf under Apache folder. 3. Please add this sentence -- LoadModule php4_module c:/Apache/php/sapi/php4apache.dll -- in it. (the important thing that php4apache.dll is in that directory , if itsn't change it to the right position. 4. Save it 5. Turn Your Apache Web Server on. I hope it can work know... Regards, Farianto.K PT.Yosibara Inti Corpora Phone: 62-21-5267645/46 Indonesia - Original Message - From: Anthony Ritter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 27, 2002 10:01 AM Subject: Re: [PHP] PHP: User Authentication Script In my phpinfo() I get: php version 4.0.0 Server_APICGI .. Is this why it is not working? If so, how does one install PHP as a module? Please advise. Thank you. TR ... Warren Vail wrote in message: http://www.php.net/manual/en/features.http-auth.php also mentions that http auth does not work when running php as a CGI, which may also give these symptoms. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User Authentication Problem
Hi, I need to authenticate users on an included page on my website, but the problem is, I cant get it to work. view it included at http://members.lycos.co.uk/ajohnh/ (Source at http://members.lycos.co.uk/ajohnh/source/index.txt) the actual file: http://members.lycos.co.uk/ajohnh/templates/twoShea/head.php (source at http://members.lycos.co.uk/ajohnh/source/head.txt) the location of the script that sets the cookie (I hard-coded the user and password combo for user ramonezrule into it): http://members.lycos.co.uk/ajohnh/templates/twoShea/setcookie.php (source at: http://members.lycos.co.uk/ajohnh/source/setcookie.txt) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User Authentication Problem.
Hi, I need to authenticate users on an included page on my website, but the problem is, I cant get it to work. view it included at http://members.lycos.co.uk/ajohnh/ (Source at http://members.lycos.co.uk/ajohnh/source/index.txt) the actual file: http://members.lycos.co.uk/ajohnh/templates/twoShea/head.php (source at http://members.lycos.co.uk/ajohnh/source/head.txt) the location of the script that sets the cookie (I hard-coded the user and password combo for user ramonezrule into it): http://members.lycos.co.uk/ajohnh/templates/twoShea/setcookie.php (source at: http://members.lycos.co.uk/ajohnh/source/setcookie.txt) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User Authentication
Hey guys, What is the best way for user authentication (now i'm talking about the most secure and easiest way). Now i've been using sessions, and i was wondering if cookies were better and easier... any thoughts? thanks, Jule -- Jule Slootbeek [EMAIL PROTECTED] http://blindtheory.cjb.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication
Sessions use cookies as it is...so what do you really want to do...what do you want to protect? ---John Holmes... -Original Message- From: Jule Slootbeek [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 9:49 PM To: php-general Subject: [PHP] User Authentication Hey guys, What is the best way for user authentication (now i'm talking about the most secure and easiest way). Now i've been using sessions, and i was wondering if cookies were better and easier... any thoughts? thanks, Jule -- Jule Slootbeek [EMAIL PROTECTED] http://blindtheory.cjb.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication
I wouldnt rely on cookies or standard sessions (which use cookies) as a means of security. You can use sessions, but make sure you have the ini_alter(session.use_cookies, 0); so that no cookies are used for the session id. This means you'll have to pass the session id in the querystring or post of each page. Regards Jarrad Kabral -Original Message- From: John Holmes [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 5 June 2002 11:48 AM To: [EMAIL PROTECTED]; 'php-general' Subject: RE: [PHP] User Authentication Sessions use cookies as it is...so what do you really want to do...what do you want to protect? ---John Holmes... -Original Message- From: Jule Slootbeek [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 9:49 PM To: php-general Subject: [PHP] User Authentication Hey guys, What is the best way for user authentication (now i'm talking about the most secure and easiest way). Now i've been using sessions, and i was wondering if cookies were better and easier... any thoughts? thanks, Jule -- Jule Slootbeek [EMAIL PROTECTED] http://blindtheory.cjb.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
John Holmes wrote: Sessions use cookies as it is...so what do you really want to do...what do you want to protect? ---John Holmes... Oh ok, that explains it then... Well thanks for the info anyway. I was basically just wondering which method was reccommended.. Jule -- Jule Slootbeek [EMAIL PROTECTED] http://blindtheory.cjb.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
Hi Jule: On Tue, Jun 04, 2002 at 09:48:36PM -0400, Jule Slootbeek wrote: What is the best way for user authentication (now i'm talking about the most secure and easiest way). Now i've been using sessions, and i was wondering if cookies were better and easier... Regardless of what you do, I strongly suggest not using cookies. Not everyone accepts them. I accept them for a very limited number of sites (like my bank). The rest can drop dead. The remaining options are URL query strings and HTTP Authentication. Enjoy, --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
On Wednesday 05 June 2002 10:05, Analysis Solutions wrote: Hi Jule: On Tue, Jun 04, 2002 at 09:48:36PM -0400, Jule Slootbeek wrote: What is the best way for user authentication (now i'm talking about the most secure and easiest way). Now i've been using sessions, and i was wondering if cookies were better and easier... Regardless of what you do, I strongly suggest not using cookies. Not everyone accepts them. I accept them for a very limited number of sites (like my bank). The rest can drop dead. I disagree. If your site has compelling enough content that encouraged the user to register in the first place then I'm pretty sure they won't mind a cookie or two. Just make sure you don't store any sensitive info in the cookie. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Your reasoning is . (fill in the blank) - Russell King on the linux-arm mailing list */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User Authentication
Hi, I had a question on user authentication/member accounts. I have built a MySQL database with users and passwords, and I wrote this code: html headtitleLOGIN IN PROGRESS/title/head ?php mysql_connect(HOST, USER, PASS); mysql_select_db(DB); body bgcolor = white h2PLEASE LOG IN/h2 form method=post action=?echo $PHP_SELF? table cellpadding=2 cellspacing=0 border=0 tdUsername:/tdtdinput type=text name=User size=10/tdtr tdPassword:/tdtdinput type=password name=Pass size=10/tdtr tdnbsp;/tdtdinput type=submit name=submit value=Log In/td /table/form ?php if ($submit) { $result=mysql_query(select * from Users where User='$User') or die (cant do it); while ($row=mysql_fetch_array($result)) { if ($row[Pass]==$Pass) { printf(Successfully Logged In!a href=\about.php\Click Here/a); } So this will work it regonizes a real user vs. a fake on I do. But I don't understand whats to stop someone from directly linking to a protected page? For example why couldn't someone just go directly to ./about.php. Does this make sense? Should I have the login form in one file and the php script in another? Do I need to check the http header somehow to see if they have logged in? Thanks. -Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
On Saturday 30 March 2002 02:24, Omland Christopher m wrote: So this will work it regonizes a real user vs. a fake on I do. But I don't understand whats to stop someone from directly linking to a protected page? For example why couldn't someone just go directly to ./about.php. You're right there's absolutely nothing to stop them from doing that. Does this make sense? Should I have the login form in one file and the php script in another? Do I need to check the http header somehow to see if they have logged in? The usual way to do login is that after authentication you send the user a cookie. On the subsequent pages that you want to protect you check for the presence of a valid cookie. If one is present you let them view the page, otherwise redirect them to a login page or something. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk /* The only way I can lose this election is if I'm caught in bed with a dead girl or a live boy. -- Louisiana governor Edwin Edwards */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication
To solve this problem, I store some variables in a session, and at the beginning of each page that needs to be secure in my site, I check to see if the session variable is set (usually $userid), if not I redirect the user back to the logon page. At least two things will cause the variable to be missing, a direct reference to the page using the URL, and the session having expired. I also make it a practice of coding a page as two separate php files, the first of which performs the test above and retrieves information and presents it on the web page (this is my presentation layer). The second php program that is referenced as the as the Action of my form or as a href from an anchor on the form when data is not to be submitted. This second php program may test again for my session variable, but it does only processing (storing data in the database, etc), then does a redirect header(Location: page.php), some of redirections will take it back to the page in file one, other redirections will take it to other pages. The reason for this dual program style, is that it avoids the problem with using the POST method of form processing and pressing the back button on the browser (IE and Netscape both issue an error). Because every one of the pages presented in my application are redirected to, they are entered by a GET by default and the back button works fine. The second process only program can pass variables to the next form either as GET parameters appended to the URL, or as a session variable. A redirect cannot cause a form to be entered with a POST method that I am aware of. hope this helps, Warren Vail Tools, Metrics Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 -Original Message- From: Omland Christopher m [mailto:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 10:25 AM To: Rouvas Stathis Cc: Kevin Stone; 'Justin French'; 'php' Subject: [PHP] User Authentication Hi, I had a question on user authentication/member accounts. I have built a MySQL database with users and passwords, and I wrote this code: html headtitleLOGIN IN PROGRESS/title/head ?php mysql_connect(HOST, USER, PASS); mysql_select_db(DB); body bgcolor = white h2PLEASE LOG IN/h2 form method=post action=?echo $PHP_SELF? table cellpadding=2 cellspacing=0 border=0 tdUsername:/tdtdinput type=text name=User size=10/tdtr tdPassword:/tdtdinput type=password name=Pass size=10/tdtr tdnbsp;/tdtdinput type=submit name=submit value=Log In/td /table/form ?php if ($submit) { $result=mysql_query(select * from Users where User='$User') or die (cant do it); while ($row=mysql_fetch_array($result)) { if ($row[Pass]==$Pass) { printf(Successfully Logged In!a href=\about.php\Click Here/a); } So this will work it regonizes a real user vs. a fake on I do. But I don't understand whats to stop someone from directly linking to a protected page? For example why couldn't someone just go directly to ./about.php. Does this make sense? Should I have the login form in one file and the php script in another? Do I need to check the http header somehow to see if they have logged in? Thanks. -Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication
on 12/16/01 12:58 PM, Daniel Grace at [EMAIL PROTECTED] wrote: Anyways, though the 401 part works and actually brings up the typical Enter Username/Password box, $PHP_AUTH_USER and $PHP_AUTH_PW are not being set. There are no .htaccess files in the directory (or any parent dirs for that matter), and no AuthType directives all in my httpd.conf file. I have been unsuccessful in determining what is wrong, and am flat out of ideas. My guess would be that register_globals is off. If I recall correctly, $PHP_AUTH_USER and $PHP_AUTH_PW need register_globals on to work like you want them to. Check phpinfo() to see if another variable, maybe one in the new arrays, will give them to you. If not, you can look for the Authorize Header and then manually parse out the User and PW information. Paul ?php /* Happy Holidays */ mysql_select_db('North_Pole'); mysql_query('SELECT reindeer FROM stable WHERE nose_color=red'); ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] User Authentication
Paul Burney [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... on 12/16/01 12:58 PM, Daniel Grace at [EMAIL PROTECTED] wrote: Anyways, though the 401 part works and actually brings up the typical Enter Username/Password box, $PHP_AUTH_USER and $PHP_AUTH_PW are not being set. There are no .htaccess files in the directory (or any parent dirs for that matter), and no AuthType directives all in my httpd.conf file. I have been unsuccessful in determining what is wrong, and am flat out of ideas. My guess would be that register_globals is off. If I recall correctly, $PHP_AUTH_USER and $PHP_AUTH_PW need register_globals on to work like you want them to. Check phpinfo() to see if another variable, maybe one in the new arrays, will give them to you. If not, you can look for the Authorize Header and then manually parse out the User and PW information. Paul ?php /* Happy Holidays */ mysql_select_db('North_Pole'); mysql_query('SELECT reindeer FROM stable WHERE nose_color=red'); ? Bah, my test page displayed a phpinfo() and I never noticed this... For some reason You were correct. $PHP_AUTH_USER and $PHP_AUTH_PW reside in _$SERVER under PHP 4.1.0 (and thus presumably $HTTP_SERVER_VARS under PHP 4.0.6) This means I can actually get back to making progress on my site... -- Daniel Grace Warning: Undefined variable: signature in email.php on line 35 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User Authentication
Hello, I'm working on a website for what will eventually be free PHP/MySQL/Apache/DNS/etc hosting (see: http://hosting.venura.net , no requests for accounts will be entertained right now), and am having problems trying to get HTTP Authentication working. I had it working a month or so ago, but then I put the project on hold for awhile and came back to a mess that wasn't -- don't know how unless I somehow broke it just before I quit working on it. Anyways, I'm running PHP 4.1.0 (had same problems with 4.0.6 earlier so I know it's not some weird bug with the new version), Apache 1.3.22+mod_ssl and Linux 2.4. I'm working (for now) with a small test script containing this (and running on SSL, which I had no problems with earlier.) --- ?php header(HTTP/1.0 401 Unauthorized); header(WWW-Authenticate: Basic realm=\hosting.venura.net Member Services U: . $PHP_AUTH_USER . , P: . $PHP_AUTH_PW . \ ); ? html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en lang=en head title[secure]venura.net :: Unauthorized/title /head body ?php phpinfo(); ? /body /html --- The idea being that I can see the username/password entered in the authentication box itself. Anyways, though the 401 part works and actually brings up the typical Enter Username/Password box, $PHP_AUTH_USER and $PHP_AUTH_PW are not being set. There are no .htaccess files in the directory (or any parent dirs for that matter), and no AuthType directives all in my httpd.conf file. I have been unsuccessful in determining what is wrong, and am flat out of ideas. My php.ini and httpd.conf files are available at http://hosting.venura.net/fixme/ Any ideas? -- Daniel Grace -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User Authentication
Hi, Can anyone recommend a good place on the web to learn about user authentication. I want users of my site to login with a username password - once they are logged in they can see information customised to each separate user. Without being logged in the won't see any valuable information. Especially issues dealing with hackers. Thanks, Damien -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] User Authentication
http://www.google.com/search?q=php+mysql+user+authenticationbtnG=Google+Search First hit's a winner :) Damien Burke wrote: Hi, Can anyone recommend a good place on the web to learn about user authentication. I want users of my site to login with a username password - once they are logged in they can see information customised to each separate user. Without being logged in the won't see any valuable information. Especially issues dealing with hackers. Thanks, Damien -- ___ ____ _ Chris Hobbs / \ \/ / | | |/ ___\| __ \ Head Geek| (___ \ \ / /| | | | (___ | | | | WebMaster \___ \ \ \/ / | | | |\___ \| | | | PostMaster) | \ / | |__| |) | |__| | \/\/\/ \/|_/ http://www.silvervalley.k12.ca.us [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] User Authentication
Caveat: Don't forget to escape user input before sending to SQL. Those samples leave that part to your imagination. Bad guys might take advantage of that :) http://www.google.com/search?q=php+mysql+user+authenticationb tnG=Google+Search First hit's a winner :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User authentication problem.
I found a lot of scripts which regarding this user authentication. But most of them are using mysql for their userlist What if I got a server which have users in it, and I want to reuse the same list of users and password in the server. What should I do ? Thankyou Jian An -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User authentication?
Hi, do aonyone know of any comprehensive tutorial for user authentication session managment with php4 sessions and mysql? Preferably with some sort of code examples? I have tried searching the larger code libraries but haven´t found anything that suits me (the ones i actually got interested in was dead links). Regards # Daniel Alsén| www.mindbash.com # # [EMAIL PROTECTED] | +46 704 86 14 92 # # ICQ: 63006462 | # -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] User Authentication against remote authentication serve r [ LDAP ]
On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote: Thanks for the link, Kurt. Can you also point to any authentication code examples, or further discussion? The user comments in the manual suggest there are at least a couple ways to code stuff, ldap_compare vs ldap_bind. Any additional help appreciated. I might be able to help if you have some more precise questions, but basically there are two ways LDAP can be used. You can either use it as a data store or you can have LDAP make the authentication decision for you. If you want the user to supply username and password, the authentication can be done as follows: As data store: Hopefully the passwords are stored encrypted. Then there are two ways. If the password is stored encrypted with some unknown salt where the salt is stored together with the password (like the traditional UNIX way), your PHP script retrieves the encrypted password from LDAP, checks the salt, encrypts the user supplied password using the salt, and compare the two. If you don't use a salt you can encrypt the password from the user and just do an ldap_compare to check that it's the same as in the LDAP server. You get better security by not allowing people to read the encrypted passwords from LDAP. To store passwords encrypted in LDAP, SHA1 might be a good choice, PHP has this. As decision maker: You can simply bind to the server on behalf of the user, you use the user supplied username and password as arguments to ldap_bind(). If the bind succeeds, you let the user access your stuff. In this case you should consider using SSL/TLS for talking to the server. There are other ways to authenticate with LDAP, RFC 2829 gives a good overview. You can find it at for instance http://www.ietf.org/rfc/rfc2829.txt I could go into more detail, but to write a complete general overview would be a lot of work. You might also have a look at a really short presentation I've made at http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf Stig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] User Authentication against remote authentication serve r [ LDAP ]
Thanks very much, Stig, very helpful! We are just scouting the technology right now, so my more precise questions will come later ;) We will be using SSL. Given that, it looks to me like decision maker mode is the way to go? Kirk -Original Message- From: Stig Venaas [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 3:06 AM To: Johnson, Kirk Cc: PHP General List Subject: Re: [PHP] User Authentication against remote authentication serve r [ LDAP ] On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote: Thanks for the link, Kurt. Can you also point to any authentication code examples, or further discussion? The user comments in the manual suggest there are at least a couple ways to code stuff, ldap_compare vs ldap_bind. Any additional help appreciated. I might be able to help if you have some more precise questions, but basically there are two ways LDAP can be used. You can either use it as a data store or you can have LDAP make the authentication decision for you. If you want the user to supply username and password, the authentication can be done as follows: As data store: Hopefully the passwords are stored encrypted. Then there are two ways. If the password is stored encrypted with some unknown salt where the salt is stored together with the password (like the traditional UNIX way), your PHP script retrieves the encrypted password from LDAP, checks the salt, encrypts the user supplied password using the salt, and compare the two. If you don't use a salt you can encrypt the password from the user and just do an ldap_compare to check that it's the same as in the LDAP server. You get better security by not allowing people to read the encrypted passwords from LDAP. To store passwords encrypted in LDAP, SHA1 might be a good choice, PHP has this. As decision maker: You can simply bind to the server on behalf of the user, you use the user supplied username and password as arguments to ldap_bind(). If the bind succeeds, you let the user access your stuff. In this case you should consider using SSL/TLS for talking to the server. There are other ways to authenticate with LDAP, RFC 2829 gives a good overview. You can find it at for instance http://www.ietf.org/rfc/rfc2829.txt I could go into more detail, but to write a complete general overview would be a lot of work. You might also have a look at a really short presentation I've made at http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf Stig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User Authentication against remote authentication server
sorry, this might be a little bit off the topic, but I really hope you could help anwering this question. It's pretty clear how to use web server to authenticate the users/groups, for example, if we are using Apache, the userID and password will be stored in the browser's cache, and be sent to the web server to do the authentiation whenenver a page is requested. However, if the authentication server is not the web server, instead, it is a remote independent server. How can we manage the user authentications at the web server side? Thank you very much in advance! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] User Authentication against remote authentication server
may be you can write a script (perl/php/*) which try to check/log/whatever on the remote user sending a login/password, so if it returns ok yo can use it to deny/allow the access to your local webserver.. it's like a kind of authentication proxy - Original Message - From: Zhu George-CZZ010 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 29, 2001 4:39 PM Subject: [PHP] User Authentication against remote authentication server sorry, this might be a little bit off the topic, but I really hope you could help anwering this question. It's pretty clear how to use web server to authenticate the users/groups, for example, if we are using Apache, the userID and password will be stored in the browser's cache, and be sent to the web server to do the authentiation whenenver a page is requested. However, if the authentication server is not the web server, instead, it is a remote independent server. How can we manage the user authentications at the web server side? Thank you very much in advance! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] User Authentication against remote authentication server
However, if the authentication server is not the web server, instead, it is a remote independent server. How can we manage the user authentications at the web server side? Use LDAP. http://www.php.net/manual/en/ref.ldap.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] User Authentication against remote authentication server [ LDAP ]
Thanks for the link, Kurt. Can you also point to any authentication code examples, or further discussion? The user comments in the manual suggest there are at least a couple ways to code stuff, ldap_compare vs ldap_bind. Any additional help appreciated. TIA Kirk -Original Message- From: Kurt Lieber [mailto:[EMAIL PROTECTED]] Sent: Monday, October 29, 2001 3:58 PM To: PHP General List Subject: Re: [PHP] User Authentication against remote authentication server [ LDAP ] However, if the authentication server is not the web server, instead, it is a remote independent server. How can we manage the user authentications at the web server side? Use LDAP. http://www.php.net/manual/en/ref.ldap.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User Authentication / only 1 login per user at any time
Hi, With most of my scripts, when I am about to write something, I have it in my head on how to do it exactly.. But with only 1 login per user at anytime, I havent found any good ways to do it, All I can think of is to set a mysql field called ³logged_in² to ³1² or ³0² if logged in or not, but the problem with that is if you close the browser , it will stay ³logged_in=1² , Is the way around that problem to do some sort of timeout code that checks all ³logged_in² in the whole table and also a field where it logged the last time the user accesses a page, to see if the user has accessed a page within 20 minutes .. Or is there a better way to do it? Thanks, Lewi
Re: [PHP] User Authentication / only 1 login per user at any time
Hi there: We have this functionality built into our core framework with our custom session handling. The basic premise is that you don't store a 1/0 in a 'logged in' flag, but store the session key with the username. When someone logs in, assign their session key to that username. The previous session key associated with that username will be overwritten, and that user will no longer be able to do anything, because they have no data associated with their session. To do it like this, you'd need to come up with your own mechanism for deciding if someone was no longer valid - we tie that to session data. No session data, no access. If I log in with your username, you are guaranteed to be 'kicked off'. Hope that helps... Lewi Hirvela wrote: Hi, With most of my scripts, when I am about to write something, I have it in my head on how to do it exactly.. But with only 1 login per user at anytime, I havent found any good ways to do it, All I can think of is to set a mysql field called ³logged_in² to ³1² or ³0² if logged in or not, but the problem with that is if you close the browser , it will stay ³logged_in=1² , Is the way around that problem to do some sort of timeout code that checks all ³logged_in² in the whole table and also a field where it logged the last time the user accesses a page, to see if the user has accessed a page within 20 minutes .. Or is there a better way to do it? Thanks, Lewi Michael Kimsal http://www.tapinternet.com/php PHP Training Courses 734-480-9961 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User authentication
Hello, I set up a user-auth script that checks $PHP_AUTH_USER $PHP_AUTH_PW against a db with login/pwd information, but on the server my site is hosted this doens't work because PHP runns as cgi. How do I do this with PHP running as a cgi? Thanks in advance. Regards Bart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User Authentication
Hi all, Is there a way in php4 to authenticate a user against the system passwords? I have to write a php program to handle student assignment submissions. These users need to authenticated against an winnt PDC. Samba has a package called winbind that will let me map the pdc's usernames and groups onto the unix ones, with the help of pam. Now i then need to access those throught (i assume) the unix getpwent and getgrent commands, so that winbind will be used as the service to lookup the names and passwords. Is this functionality available in php ? If not, anybody got any pointers on how to go about writing a wrapper for php for this ?? Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] user authentication
Does anyone know of a good user authentication/sessions tutorial for php 4? I've looked through the ones at phpbuilder and they are not quite as in-depth as I would like. Jerry Lake- [EMAIL PROTECTED] Interface Engineering Technician Europa Communications - http://www.europa.com Pacifier Online - http://www.pacifier.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] user authentication
try : http://www.zend.com/zend/tut/authentication.php regards, philip On Wed, 9 May 2001, Jerry Lake wrote: Does anyone know of a good user authentication/sessions tutorial for php 4? I've looked through the ones at phpbuilder and they are not quite as in-depth as I would like. Jerry Lake- [EMAIL PROTECTED] Interface Engineering Technician Europa Communications - http://www.europa.com Pacifier Online - http://www.pacifier.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] User Authentication
Try this, it works for me. Mike if(!isset($PHP_AUTH_USER)) { Header("WWW-Authenticate: Basic realm=\"User Database\""); Header("HTTP/1.0 401 Unauthorized"); echo "H1ERROR/H1You must enter a correct username and password in order to proceed\n"; exit; } else { if ($PHP_AUTH_USER=="admin" $PHP_AUTH_PW=="love2change"){ print "You are successfully authenticated"; } else { Header("WWW-Authenticate: Basic realm=\"User Database\""); Header("HTTP/1.0 401 Unauthorized"); echo "You did not supply proper credentials and are therefore denied login\n"; exit; } } ? -Original Message- From: Amer Alhabsi [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 27, 2001 1:42 AM To: [EMAIL PROTECTED] Subject: [PHP] User Authentication Hi, I'm trying to use an authentication method I found in a tutorial in the net. The server prompts for username/password. But if I enter the hard coded values (or any other values) the server rejects them with a message authorization failed. I use PHP 4 as a module on IIS Thanks very much for any help, here is the program I got from the tutorial. ?php if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW)) || ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) ) header( 'WWW-Authenticate: Basic realm="Private"' ); header( 'HTTP/1.0 401 Unauthorized' ); echo 'Authorization Required.'; exit; } else echo 'Success!'; } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] User Authentication
Hi, I'm trying to use an authentication method I found in a tutorial in the net. The server prompts for username/password. But if I enter the hard coded values (or any other values) the server rejects them with a message authorization failed. I use PHP 4 as a module on IIS Thanks very much for any help, here is the program I got from the tutorial. ?php if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW)) || ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) ) header( 'WWW-Authenticate: Basic realm="Private"' ); header( 'HTTP/1.0 401 Unauthorized' ); echo 'Authorization Required.'; exit; } else echo 'Success!'; } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]