Re: [PHP] sessions/cookies

2008-01-23 Thread Jochem Maas 

others have given good advice, but let's learn to walk before we run shall we.


1. session_start() should be called once per request.
2. checkValidUser() does a select on all the users in the database, this is 
*wrong* -
do a select with a suitable WHERE clause the retrieves the one user that 
matches the
given user name and password.
3. GetAccessLevel() uses an undefined property.
4. all the properties ($UserID, $AdminLevel, etc) are only set during the 
request where
the user's login credentials are checked. subsequent requests will not have 
that info.
5. use php5?
6. go back and read the other replies regarding seperation of responsibilities 
and encapsulation.


nihilism machine schreef:
I wrote an authentication class in php4. The sessions dont seem to be 
working with internet explorer, just with FF. here is the code below, a 
cookies notice pops up when you try and login:


?php



class auth {

var $UserID;
var $AdminLevel;
var $FirstName;
var $LastName;
var $DateAdded;
var $MobileTelephone;
var $LandLineTelephone;

// Connect to the database
function auth() {
mysql_connect('','','') or die('ERROR: Could not connect to 
database');

mysql_select_db('') or die('ERROR: Could not select database');
}

// Attempt to login a user
function CheckValidUser($Email,$Password) {
$result = mysql_query('SELECT * FROM Users');
$Password = $this-encode($Password);

if (mysql_num_rows($result) != 0) {
while($row = mysql_fetch_assoc($result)) {
if (!strcmp($row['Email'],$Email)) {
if (!strcmp($row['Password'],$Password)) {
// User info stored in Globals
$this-UserID = $row['ID'];
$this-AdminLevel = $row['Admin_Level'];
$this-FirstName = $row['First_Name'];
$this-LastName = $row['Last_Name'];
$this-DateAdded = $row['Date_Added'];
$this-MobileTelephone = $row['Telephone_Mobile'];
$this-LandLineTelephone = 
$row['Telephone_Land_Line'];

// User info stored in Sessions
session_start();
$_SESSION['Status'] = loggedIn;
$_SESSION['Email'] = $row['Email'];
$_SESSION['AdminLevel'] = $row['Admin_Level'];
$_SESSION['LandLine'] = 
$row['Telephone_Land_Line'];
$_SESSION['MobileTelephone'] = 
$row['Telephone_Mobile'];

$_SESSION['FirstName'] = $row['First_Name'];
$_SESSION['LastName'] = $row['Last_Name'];
return true;
}
}
}
header(Location: index.php?error=invalidLogin);
} else {
die('ERROR: No Users in the database!');
}
}

// Create a new user account
function CreateUser($Email, $Password, $AdminLevel, 
$LandLineTelephone, $MobileTelephone, $FirstName, $LastName) {

$Password = $this-encode($Password);
$this-AccessLevel = $AdminLevel;
$DateAdded = date(Y-m-d H:i:s);
mysql_query(INSERT INTO Users (Email, Password, Admin_Level, 
Date_Added, First_Name, Last_Name, Telephone_Land_Line, 
Telephone_Mobile) VALUES ('$Email','$Password','$AdminLevel', 
'$DateAdded', '$FirstName', '$LastName', '$LandLineTelephone', 
'$MobileTelephone')) or die(mysql_error());

return $this-UserID = mysql_insert_id();
}

// Update a users access level
function UpdateAccessLevel($ID,$AdminLevel) {
mysql_query(UPDATE Users SET Admin_Level='$AdminLevel' WHERE 
ID=$ID) or die(mysql_error());

return true;
}

// Delete a user
function DeleteUser($ID) {
mysql_query(DELETE FROM Users WHERE ID=$ID) or 
die(mysql_error());

return true;
}

// Get a users access level
function GetAccessLevel() {
return $this-AccessLevel;
}

// Get a users ID
function GetUserID() {
return $this-UserID;
}

// Log user out

function LogOut() {
session_start();
session_unset();
session_destroy();
header(Location: index.php);
}

// Check users access level to see if they have clearance for a 
certain page

function CheckUserLevel($RequiredLevel) {
if ($_SESSION['AdminLevel']  $RequiredLevel) {
if ($_SESSION['AdminLevel'] == 2) {
header(Location: financial.php);
} else if ($_SESSION['AdminLevel'] == 1) {
header(Location: user.php);
} else {
header(Location: index.php);
}
}
}

// Check to see if a user is logged in

function CheckLoggedIn() {
session_start();
if ($_SESSION['Status'] !=

Re: [PHP] sessions/cookies

2008-01-22 Thread Eric Butera 
On Jan 22, 2008 9:15 PM, nihilism machine [EMAIL PROTECTED] wrote:
 I wrote an authentication class in php4. The sessions dont seem to be
 working with internet explorer, just with FF. here is the code below,
 a cookies notice pops up when you try and login:

Hi,

I took a quick look at your code.  I haven't pin-pointed exactly what
the issue is because there is really way too much going on there.  I'd
suggest you look at your error log and see if there are any warnings.
Here is some advice:

- Having a class named auth is a bad idea.  Is auth authentication
or authorization?

- The auth class itself really shouldn't be directly accessing the
session or database.  You should write drivers and interfaces that
implement this functionality for you.

- Hard coding header redirects (That aren't absolute by the way) means
you have to modify your authorization class instead of behavior based
on if you log in or not.  That isn't a good idea.

By separating out concerns it will make your class a lot smaller and
easier to work with.  I realize this link I'm posting is called auth
too, but that wasn't my choice.  You can see that they have drivers so
that authentication itself is a generic idea and you implement it
against a specific thing such as a mysql users table or htpassword.

http://solarphp.com/package/Solar_Auth

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sessions/cookies

2008-01-22 Thread Nathan Nobbe 
On Jan 22, 2008 9:54 PM, Eric Butera [EMAIL PROTECTED] wrote:

 I realize this link I'm posting is called auth
 too, but that wasn't my choice.


that was kind of funny after your initial criticizm above, but to solars
credit,
its the auth 'package' so really the name isnt too bad, id say.


  You can see that they have drivers so
 that authentication itself is a generic idea and you implement it
 against a specific thing such as a mysql users table or htpassword.


eric is totally right here; at a quick look at you code, i saw auth, ...
create user,.. database.. cookie; im thinking what exactly is going on here.
the general idea behind a class is to 'encapsulate' things that change into
a
little self-contained unit.  ideally the class doent know how the insides of
other
classes work, nor do other classes know how it works on the inside.  in
order
to realize this, you should strive for classes with a high degree of
cohesion.
http://en.wikipedia.org/wiki/Cohesion_(computer_science)
although there is no real metric for this concept, most people can grasp the
concept and have an idea when code has either a low or high degree of
cohesion.

if you want some advice on your class, i would start by breaking out the
CheckUserLevel(), and CreateUser() methods into a User class, you might
also consider a Session class.
if you want some advice on how to solve your problem here is my suggestion;
you need to isolate the behavior that is not working correctly.  this feat
becomes
difficult when you have lots of variable behaviors in one place.  break your
class
into pieces and test the pieces individually; once they all work
individually, then
they should work as a group without too much effort.  if that isnt working
(when
you get there) then the code that glues it all together is to blame.

-nathan

Re: [PHP] Sessions /cookies issue

2006-10-18 Thread Chris 

Dave Goodchild wrote:

Hi all. I am building a web app which uses sessions to retain user data
between pages and finally enter that data into mysql - I have noticed that
out of 100 entries in the database, 10% are blank. I tested this by setting
a cookie on the home page and when the user navigated to the form pages,
tested whether that cookie was set and if not issuing a warning with some
cookie tutorial info for the user.

Before I used the simple test cookie, obviously the only cookie that was
being set was PHPSESSID. All the users who entered blank records were using
IE. When I test using IE this end, the session cookie is set with no
problems and my IE security settings are set to medium. I know IE will
accept certain third-party cookies at this setting, but what's the criteria
and has anyone else encountered this problem?


3rd party cookies are tough.

You'll need to look at p3p headers  a p3p policy to get them through IE.

--
Postgresql  php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] sessions cookies

2004-06-19 Thread Michael Sims 
Scott Taylor wrote:
 How exactly do sessions work?  I've heard that if cookies are disabled
 that a session will then pass it's variables in the url (through GET).
 Yet when I manually disable cookies none of my pages work (because the
 $_SESSION variables do not seem to be working).

The variables themselves aren't passed, only a session ID, and that is only
passed through GET/POST if transparent SID support is enabled (it is
disabled by default).  You can change the session.use_trans_sid setting in
your php.ini file or if your server supports .htaccess you can create one
and add php_flag session.use_trans_sid on to it.  For more information see
the manual: http://www.php.net/manual/en/ref.session.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions, Cookies, and Subdomains

2002-12-02 Thread John W. Holmes 
[snip]
 I want to have my website split into several
 subdomains with a shared user system. That is to say that when someone
 logs into
 foo.mysite.com they'd also be logged into bar.mysite.com when they go
to
 it.  It is my understanding that php sessions will not work in this
way,
 being that each subdomain has its own sessions.  If this is the case,
is
 there a
 way around this?  If it is the case and there isn't a way around this,
is
 this able to be done with regular cookies?  

You'll want to implement your own session handler and store the data in
a database. Then you can access and load the session variables from any
domain with access to the database. 

 Also, php sessions only last a
 certain amount of time.  I'd like for users to remain logged in
 indefinitely if
 they choose to do so while logging in.  Assuming this is absolutely
 impossible in sessions, is it feasible to use php sessions as the
basis of
 my user system, but use cookies as a secondary to it if users choose
to
 remain logged
 in?  Any help at all would be really appreciated, because I'd like to
get
 the new version of my site rolled out soon.

If you want a remember me feature, then you'll have to implement
something with cookies. Sessions will remain active as long as the user
is active. If they are inactive for a certain amount of time (which you
can set in php.ini) then their session file will be erased. 

Hope that helps.

---John Holmes...



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions/Cookies and HTTP Auth

2002-03-27 Thread maxwello 

When using cookies,  if you don't set an expiration time, the cookie is only
good until the session expires.  It doesn't get saved, and it disappears
when the user closes their browser.

Many browsers have different settings/preferences for session cookies, and
because they don't get saved to your disk, you may not be prompted.

This might also explain someone's question a little while back (not sure if
it got answered or not) about why they couldn't find the cookie on their
hdd.

Maxwell


- Original Message -
From: David McInnis [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 27, 2002 7:10 PM
Subject: [PHP] Sessions/Cookies and HTTP Auth



 Here is the scenario.

 1.  I set my browser to block all cookies.
 2.  I access this script.
 3.  I am thinking that I should get an error because I presume that
 session_start() will attempt to set a cookie (which it appears to do).
 (I tried setcookie() too and the cookie was accepted.)

 My question is this.

 When using httpauth, does httpauth override your cookie preferences?

 David


 *** my code **


 ?php
 require /home/www/common/_ini/_main.ini.php;

 $auth = false; // Assume user is not authenticated

 if (isset( $PHP_AUTH_USER )  isset($PHP_AUTH_PW)) {

 $sql = SELECT * FROM staff WHERE
 username = '$PHP_AUTH_USER' AND
 password = '$PHP_AUTH_PW';

 $result = @mysql_query($sql, $connection)
 or die ('Database Error - Could not select create data
 from projects.');

 // Get number of rows in $result.

 $numrows = mysql_num_rows( $result );

 if ( $numrows  0 ) {

 // A matching row was found - the user is authenticated.

 $auth = true;

 }

 }

 if ( ! $auth ) {

 header( 'WWW-Authenticate: Basic realm=Private Extranet' );
 header( 'HTTP/1.0 401 Unauthorized' );
 echo 'Authorization Required.';
 exit;

 } else {
 session_start();
 echo 'PYou are authorized!/P';
 phpinfo();
 }

 ?



 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sessions / cookies / header(Location...

2001-05-17 Thread Chris Lee 

yup, your browser is not accepting cookies. thats a good guess. when a browser does 
not accept cookies, trans-sid will kick in, trans-sid will not work on full urls, just 
reletive urls.

no trans-sid
http://www.mediawaveonline.com/index.php

trans-sid
/index.php

header redirectect require (supposed to require) full urls. in other words its a good 
idea to put PHPSESSID=$PHPSESSID on all your full urls anyhow, just incase for 
non-cookie browsers.

-- 

 Chris Lee
 [EMAIL PROTECTED]



Christian Dechery [EMAIL PROTECTED] wrote in message 
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I have a page that does a login... right after the login is successfull it 
registers a session var called 'userid'... and does a header(Location: 
newpage.php) which checks for the existance of this var... if it exists it 
will show, otherwise it goes back to the login page...

the weird thing is... it always worked fine, even if I logged in and out 
with three different users to test it... but now it only works if I replace 
the header() thing with:
header(Location: newpage.php?PHPSESSID=$PHPSESSID)

why is this weird now? it use to work...
and the weird thing is... while in newpage.php the user does some stuff 
which calls itself and also gets this 'userid' var... and gets it fine 
without any PHPSESSID stuff...

any clues?


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] sessions / cookies / header(Location...

2001-05-17 Thread Christian Dechery 

it does not have anything to do with my browser... that's for sure...
I'm using MSIE 5.5, and never had any trouble... and as I said on the 
email... it used to work fine... it just stopped working...

and now yet some fresh info... it's working again now... I've tried...
one thing I noticed, that when I was testing and it was not working f2s.com 
was relly slow... sluggish really... then 1 hour later got faster... I 
tested it and it worked...

so... does speed has anything to do with it? Maybe they were doing some 
maintenance or whatever...



At 14:35 17/5/2001 -0500, Chris Lee wrote:
yup, your browser is not accepting cookies. thats a good guess. when a 
browser does not accept cookies, trans-sid will kick in, trans-sid will 
not work on full urls, just reletive urls.

no trans-sid
http://www.mediawaveonline.com/index.php

trans-sid
/index.php

header redirectect require (supposed to require) full urls. in other words 
its a good idea to put PHPSESSID=$PHPSESSID on all your full urls anyhow, 
just incase for non-cookie browsers.

--

  Chris Lee
  [EMAIL PROTECTED]



Christian Dechery [EMAIL PROTECTED] wrote in message 
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I have a page that does a login... right after the login is successfull it
registers a session var called 'userid'... and does a header(Location:
newpage.php) which checks for the existance of this var... if it exists it
will show, otherwise it goes back to the login page...

the weird thing is... it always worked fine, even if I logged in and out
with three different users to test it... but now it only works if I replace
the header() thing with:
header(Location: newpage.php?PHPSESSID=$PHPSESSID)

why is this weird now? it use to work...
and the weird thing is... while in newpage.php the user does some stuff
which calls itself and also gets this 'userid' var... and gets it fine
without any PHPSESSID stuff...

any clues?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


. Christian Dechery (lemming)
. http://www.tanamesa.com.br
. Gaita-L Owner / Web Developer


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]