[PHP] User Authentication across multiple server

2009-03-06 Thread Edmund Hertle
Hey,

I've got 2 server, both having the same authentication scripts and using the
same database. My problems are:
1.: User logs in on server1 - trys to use a part of the site which is
physically located on server2 - has to login again on server2
2.: There is a wiki on server2, which also depends on the same
user-database-table. Is there a way to login the user automatically to that
wiki?

The only method which possibly could work and came to my mind was using
somehow $_GET parameter for username and password (encrypted).

Thoughts?

-eddy


Re: [PHP] User Authentication across multiple server

2009-03-06 Thread Paul Scott
On Fri, 2009-03-06 at 10:09 +0100, Edmund Hertle wrote:

 The only method which possibly could work and came to my mind was using
 somehow $_GET parameter for username and password (encrypted).

Set a cookie and crypt that (RC4 works well) and then check for the
cookie on both sites. Kind of like a Remember me type deal

-- Paul


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication across multiple server

2009-03-06 Thread j's php general
On Fri, Mar 6, 2009 at 5:14 PM, Paul Scott psc...@uwc.ac.za wrote:
 On Fri, 2009-03-06 at 10:09 +0100, Edmund Hertle wrote:

 The only method which possibly could work and came to my mind was using
 somehow $_GET parameter for username and password (encrypted).

 Set a cookie and crypt that (RC4 works well) and then check for the
 cookie on both sites. Kind of like a Remember me type deal

 -- Paul


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



I believe you can do this with a database to handle session, I haven't
used that myself though.

-- 
-
http://www.lampadmins.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication across multiple server

2009-03-06 Thread Michael A. Peters

Edmund Hertle wrote:

Hey,

I've got 2 server, both having the same authentication scripts and using the
same database. My problems are:
1.: User logs in on server1 - trys to use a part of the site which is
physically located on server2 - has to login again on server2
2.: There is a wiki on server2, which also depends on the same
user-database-table. Is there a way to login the user automatically to that
wiki?

The only method which possibly could work and came to my mind was using
somehow $_GET parameter for username and password (encrypted).

Thoughts?

-eddy



Do you use the database for your session management?
If you do, since both servers talk to the same database, it should be easy.

ini_set(session.cookie_domain,.yourdomain.org);

Any server on your domain will be able to read the session cookie, and 
if your sessions are database driven, authenticate the session ID.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] user authentication

2006-04-11 Thread Alain Roger
Hi,

i'm sure that it's a stupid question but i would like to have your feedback
on it.

i have MySQL  with 2 users in the mysql database which are root and
uimmense.
i suppose that what i see in the password field is the sha1 crypted
password.

is it correct or not ?

but lets continue...
in fact, my web application should use a database named immense.
in this database, there is a table named profiles.
in this table, the login uimmense and its MD5 password are stored.

the problem is :
when i use mysql_connect('localhost','uimmense',myMD5password); to connect
to MySQL database system, the connection is refused because the MD5 password
does not correspond to what is saved into users table within mysql
database... :-(

here is my question :
all my users registered into my immense database, should be also
registered as users of MySQL database system ? (which is stored into users
table, into mysql database) ?

is it clear ?

i do not see really realistic if everytime that a new user is registered to
my application, i have to create him a profile for MySQL database.

thanks a lot,
Alain


RE: [PHP] user authentication

2006-04-11 Thread Jim Moseby
 i do not see really realistic if everytime that a new user is 
 registered to
 my application, i have to create him a profile for MySQL database.


Is there a reason you need to have each user login into mysql individually?
Most often a single login is used for the script to log into the database,
and all the user authentication is handled at the PHP level.

JM

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] user authentication

2006-04-11 Thread Jay Blanchard
[snip]
i'm sure that it's a stupid question but i would like to have your
feedback
on it.

i have MySQL  with 2 users in the mysql database which are root and
uimmense.
i suppose that what i see in the password field is the sha1 crypted
password.

is it correct or not ?

but lets continue...
in fact, my web application should use a database named immense.
in this database, there is a table named profiles.
in this table, the login uimmense and its MD5 password are stored.

the problem is :
when i use mysql_connect('localhost','uimmense',myMD5password); to
connect
to MySQL database system, the connection is refused because the MD5
password
does not correspond to what is saved into users table within mysql
database... :-(

here is my question :
all my users registered into my immense database, should be also
registered as users of MySQL database system ? (which is stored into
users
table, into mysql database) ?

is it clear ?

i do not see really realistic if everytime that a new user is registered
to
my application, i have to create him a profile for MySQL database.
[/snip]

This is more suitable as a MySQL question. Having said that;

If you wish the user to have permissions on the MySQL database then you
must grant them permissions at which time they are added to the MySQL
user's database. Once they are added you must then flush the privileges
so that their permissions take effect. You can do this during
registration by executing these queries if the PHP user has permissions
to perform grants on the database. In all likelihood the PHP user (the
user which the script runs as) does not have permission to perform
grants.

http://www.mysql.com/grant
http://www.mysql.com/flush

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Fwd: [PHP] user authentication

2006-04-11 Thread Alain Roger
 in fact no.

i can i have 1 MySQL database system profile uimmense to connect to
database.
and after via a PHP script to check if my user is registered into MY
database immense (checking profile and password).

if it's ok, so query or stored procedure can be executed, if not, connect to
DB is closed..

i was thinking to do such solution but i'm not so sure about security level
:-(

Alain


 On 4/11/06, Jay Blanchard [EMAIL PROTECTED] wrote:

 [snip]
 i'm sure that it's a stupid question but i would like to have your
 feedback
 on it.

 i have MySQL  with 2 users in the mysql database which are root and
 uimmense.
 i suppose that what i see in the password field is the sha1 crypted
 password.

 is it correct or not ?

 but lets continue...
 in fact, my web application should use a database named immense.
 in this database, there is a table named profiles.
 in this table, the login uimmense and its MD5 password are stored.

 the problem is :
 when i use mysql_connect('localhost','uimmense',myMD5password); to
 connect
 to MySQL database system, the connection is refused because the MD5
 password
 does not correspond to what is saved into users table within mysql
 database... :-(

 here is my question :
 all my users registered into my immense database, should be also
 registered as users of MySQL database system ? (which is stored into
 users
 table, into mysql database) ?

 is it clear ?

 i do not see really realistic if everytime that a new user is registered
 to
 my application, i have to create him a profile for MySQL database.
 [/snip]

 This is more suitable as a MySQL question. Having said that;

 If you wish the user to have permissions on the MySQL database then you
 must grant them permissions at which time they are added to the MySQL
 user's database. Once they are added you must then flush the privileges
 so that their permissions take effect. You can do this during
 registration by executing these queries if the PHP user has permissions
 to perform grants on the database. In all likelihood the PHP user (the
 user which the script runs as) does not have permission to perform
 grants.

 http://www.mysql.com/grant
 http://www.mysql.com/flush




Re: [PHP] user authentication

2006-04-11 Thread Richard Lynch
On Tue, April 11, 2006 10:31 am, Alain Roger wrote:
 i have MySQL  with 2 users in the mysql database which are root and
 uimmense.
 i suppose that what i see in the password field is the sha1 crypted
 password.

 is it correct or not ?

It could be SHA1, or it could be something else...

It *IS* the output from the MySQL password() function which changed
its internals from version to version, and which you should avoid
using for that reason.

 but lets continue...
 in fact, my web application should use a database named immense.
 in this database, there is a table named profiles.
 in this table, the login uimmense and its MD5 password are stored.

Let's be clear, here.

Did you store:
password

Or did you store:
5f4dcc3b5aa765d61d8327deb882cf99
(I.E., md5('password')

You should probably NOT be storing the plain-text version in your
database, unless you are looking at a super-low security needs
application.

 the problem is :
 when i use mysql_connect('localhost','uimmense',myMD5password); to
 connect
 to MySQL database system, the connection is refused because the MD5
 password
 does not correspond to what is saved into users table within mysql
 database... :-(

If you are sending in:
5f4dcc3b5aa765d61d8327deb882cf99
as the password, that is not gonna work...

Here's what MySQL does (more or less):

$query = SELECT pass FROM mysql.user WHERE user = '$user' AND host =
'$host';
$valid_md5 = mysql_query($query) or die(mysql_error());
if (md5($pass) === $valid_md5){
  //valid user
}
else{
  //invalid user
}

The whole POINT of this process is that if somebody breaks into your
MySQL database somehow, and they've got:
5f4dcc3b5aa765d61d8327deb882cf99
they can't USE that because they don't know the original password.

So MySQL isn't looking for you to send: 5f4dcc3b5aa765d61d8327deb882cf99

You have to send the password whose md5() hash is
5f4dcc3b5aa765d61d8327deb882cf99
(Which happens to be 'password' in this case)

This same technique of storing ONLY a one-way encrypted value so that
the data itself is useless for logging in is used all over the place
in the computer industry.

 here is my question :
 all my users registered into my immense database, should be also
 registered as users of MySQL database system ? (which is stored into
 users
 table, into mysql database) ?

Probably not.

You've got TWO levels / meanings of users here:

MySQL 'user' which executes queries on behalf of your PHP scripts.

Your PHP application / website has 'users' which are allows to do
specific things within your PHP application -- based on whatever logic
/ rules YOU want to impose.

Now, sometimes, there will be a correlation between these two sets of
users.

For example, you might set up TWO MySQL users:
'admin'
'uimmense'

And your web appliation might have two different classes of users:
'visitor'
'admin'

And then, in the PHP code, in the '/admin/admin.php' scripts, you'd
use the 'admin' MySQL user, which has insert/update/delete
permissions.

But your homepage and other pages for normal visitors would use the
'visitor' user to connect, and they have only SELECT priveleges.

Of course, there are some wrinkles here:

Maybe the 'visitor' needs INSERT access to a 'guestbook' table so they
can add comments.

Or maybe the 'visitor' needs INSERT/UPDATE/DELETE on a 'session' table
so you can store PHP session data in MySQL.

Still, those would be exceptions to the general rule that 'visitor'
only does SELECT on most tables.

 is it clear ?

 i do not see really realistic if everytime that a new user is
 registered to
 my application, i have to create him a profile for MySQL database.

There might be specific applications where this would be true, like a
webhost Control Panel -- though that also probably would have an even
more complex MySQL-user/Site-user relationship.

But, no, in general, you should not be adding a new user into
mysql.user table for each registered user of a web application.

You DO need to sit down and work out what classes of user you need,
and what level of complexity you want to work with.

*MANY* simple sites just have one user to connect to MySQL with
SELECT/INSERT/UPDATE/DELETE privileges and that's it on the MySQL
side.

On the web application side, you'd have one or two classes of user:
'visitor' and 'admin' and only your PHP logic and authentication keeps
'admin' usage safe from all 'visitors'

This is, admittedly, not quite as good a defense in depth where you
have 'visitor' and 'admin' users in MySQL, but on most shared hosts,
you don't really have any other options.

So you test the PHP authentication very heavily, and make SURE the
passwords for 'admin' users are good passwords, and build in a bit of
extra protection defense in depth into the admin authentication logic.

Security is not binary.  It's a gradient.

You have to really think hard about it, all day, every day, if you
want anything more than token appearances of security

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General 

RE: [PHP] User authentication

2003-10-03 Thread Jeff McKeon


 --- Jeff McKeon [EMAIL PROTECTED] wrote:
  $_SESSION['userid'] = $userid;
  $_SESSION['userpassword'] = $userpassword;
 
 [snip]
 
  Anything look wrong or insecure with all of this?
 
 The only thing that catches my attention is your assignments 
 for $_SESSION['userid'] and $_SESSION['userpassword']. I 
 assume you are performing some strict data validation on 
 $userid and $userpassword before this assignment, right? If 
 not, this presents a significant risk, because $_SESSION is a 
 trusted array (it comes from the server, not the client).
 
 Hope that helps.
 
 Chris

Well both variables $userid and $userpassword are bounced off of a user
database table, if the username/password don't match then the session
variables are cleared with a  session_destroy() call.  Is that a good
enough validation?

[code begin]

session_start();
if(!isset($userid)) {
login_form();
exit;
}
else {
$_SESSION['userid'] = $userid;
$_SESSION['userpassword'] = $userpassword;
$username = auth_user($userid, $userpassword);
if(!$username) {
echo user  . $userid . $userpassword .  Authorization
failed.  . 
 You must enter a valid userid and password
combo.  .
 Click on the following link to try
again.BR\n;
echo A HREF=\$PHP_SELF\login/ABR;
echo If you do not have login, please contact
Operations to obtain one.br\n;
session_destroy();
exit;
}
else echo welcome, $username!;
echo gmmktime();
echo a href='./test_auth.php'Continue/a;
echo a href='./new_ticket.php'Ticket/a;
}

function auth_user($userid, $userpassword) {

global $default_dbname, $user_tablename;

$link_id = db_connect($default_dbname);
$query = SELECT username FROM $user_tablename WHERE userid =
'$userid'  userpassword = password('$userpassword');
$result = mysql_query($query);
if(!mysql_num_rows($result)) return 0;
else {
$stamp = gmmktime();
$query2 = update $user_tablename set idle_time = $stamp
where userid = '$userid';
$result2 = mysql_query($query2);

$query3 = select CanEdit from $user_tablename where
userid = '$userid';
$result3 = mysql_query($query3);
$query_data3 = mysql_fetch_row($result3);
$_SESSION['CanEdit'] = $query_data3[0];

$query_data=mysql_fetch_row($result);
return $query_data[0];
}
}

[code end]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-03 Thread Chris Shiflett
--- Jeff McKeon [EMAIL PROTECTED] wrote:
 Well both variables $userid and $userpassword are bounced off of a
 user database table, if the username/password don't match then the
 session variables are cleared with a  session_destroy() call. Is that
 a good enough validation?

Yes, as long as you realize that you have now shifted the trust to those values
in the database. As long as there is no way for a user to inject malicious code
during the registration process (or however the username and password end up in
the database), then that part should be fine.

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] User Authentication Continued....

2003-10-03 Thread Jeff McKeon
Ok,

I've got the user authentication thing down and now I'm continuing to
build my trouble ticket tracking system.

So from a customer profile page there is a link to Open Ticket which
brings up a page to open a trouble ticket.  

[html code]
HREF=./open_ticket.php?custid=$custidcustname=$custname
[html code]

The user is validated for permissions and timeout based on the $_SESSION
variables established before the open ticket page is loaded.

I then have a form that they fill in with the minimum info to create a
new ticket.  Some info is passed to the open ticket page from the
customer profile page via a GET method and enterred into hidden form
fields. 

[html code]
HREF=./open_ticket.php?custid=$custidcustname=$custname
[html code]

On the open ticket page I have 2 functions, the first is a form for
entering in the ticket info, the second is a function to take the
information and update the database with it when the form is submitted,
then reload the page with a display of the ticket info.

The problem I'm having is with the $_GET variables.  I guess I'm not
declaring them correctly.  Do I need to set them as soon as the page
loads, and outside of any functions like so..

[code start]
$custid = $_GET['custid'];
$custname = $_GET['custname'];
[code end]

Or do I need to declare them in each funtion?

[code start]
Function blah(){
global $custname, $custid;

$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}

Function foo(){
global $custname, $custid;

$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
[code end]

Or am I way off and there is another way of doing it?

Also I've noticed that when I do an mysql_query(select name from foo
where name='$somevariable') I cannot use $_GET['somevariable'] or
$_POST['somevariable'] in the sql string, I find I need to do a $name =
$_GET['somevariable'] first and then use $name.  Why is this?

Thanks,

Jeff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-03 Thread Jeff McKeon
Yes, I'm the one creating the accounts in the database, users can't
create their own accounts nor do they have permissions to create new
users.

Thanks!

Jeff

 -Original Message-
 From: Chris Shiflett [mailto:[EMAIL PROTECTED] 
 Sent: Friday, October 03, 2003 3:09 PM
 To: Jeff McKeon; php
 Subject: RE: [PHP] User authentication
 
 
 --- Jeff McKeon [EMAIL PROTECTED] wrote:
  Well both variables $userid and $userpassword are bounced off of a 
  user database table, if the username/password don't match then the 
  session variables are cleared with a  session_destroy() 
 call. Is that 
  a good enough validation?
 
 Yes, as long as you realize that you have now shifted the 
 trust to those values in the database. As long as there is no 
 way for a user to inject malicious code during the 
 registration process (or however the username and password 
 end up in the database), then that part should be fine.
 
 Hope that helps.
 
 Chris
 
 =
 My Blog
  http://shiflett.org/
 HTTP Developer's Handbook
  http://httphandbook.org/
 RAMP Training Courses
  http://www.nyphp.org/ramp
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication Continued....

2003-10-03 Thread Kris Yates
I guess you would either need to make the vars global or else keep 
redeclaring them.  Obviously, redeclaring them in each function 
$var=$_GET[whatever] is technically the more secure method.

Kris

Jeff McKeon wrote:

Ok,

I've got the user authentication thing down and now I'm continuing to
build my trouble ticket tracking system.
So from a customer profile page there is a link to Open Ticket which
brings up a page to open a trouble ticket.  

[html code]
HREF=./open_ticket.php?custid=$custidcustname=$custname
[html code]
The user is validated for permissions and timeout based on the $_SESSION
variables established before the open ticket page is loaded.
I then have a form that they fill in with the minimum info to create a
new ticket.  Some info is passed to the open ticket page from the
customer profile page via a GET method and enterred into hidden form
fields. 

[html code]
HREF=./open_ticket.php?custid=$custidcustname=$custname
[html code]
On the open ticket page I have 2 functions, the first is a form for
entering in the ticket info, the second is a function to take the
information and update the database with it when the form is submitted,
then reload the page with a display of the ticket info.
The problem I'm having is with the $_GET variables.  I guess I'm not
declaring them correctly.  Do I need to set them as soon as the page
loads, and outside of any functions like so..
[code start]
$custid = $_GET['custid'];
$custname = $_GET['custname'];
[code end]
Or do I need to declare them in each funtion?

[code start]
Function blah(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
Function foo(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
[code end]
Or am I way off and there is another way of doing it?

Also I've noticed that when I do an mysql_query(select name from foo
where name='$somevariable') I cannot use $_GET['somevariable'] or
$_POST['somevariable'] in the sql string, I find I need to do a $name =
$_GET['somevariable'] first and then use $name.  Why is this?
Thanks,

Jeff

 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] User Authentication Continued....

2003-10-03 Thread Chris Shiflett
--- Jeff McKeon [EMAIL PROTECTED] wrote:
 The problem I'm having is with the $_GET variables. I guess I'm not
 declaring them correctly. Do I need to set them as soon as the page
 loads, and outside of any functions like so..
 
 [code start]
 $custid = $_GET['custid'];
 $custname = $_GET['custname'];
 [code end]
 
 Or do I need to declare them in each funtion?
 
 [code start]
 Function blah(){
   global $custname, $custid;
 
   $custid = $_GET['custid'];
   $custname = $_GET['custname'];
   DO SOME STUFF
 }

$_GET is a superglobal, which just means that it is always available
everywhere. If you assign $custname to $_GET['custname'], you now have a
regular global variable (if the assignment is done outside a function) or a
local variable (if the assignment is done within a function).

So, either just use $_GET['custname'] everywhere you need it, or work with the
variable scope like you would have to if it was anything else. For example:

1. $foo = $_GET['foo'];
2. $foo = 'bar';

The variable scope of $foo would be the same, regardless of which of those
assignments were made.

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Jeff McKeon
Actually, here's the problem I get with using global variables in a
mysql_query string..

[error begin]
PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE,
expecting T_STRING or T_VARIABLE or T_NUM_STRING 
[error end]

[code begin]
$query=SELECT * from tickets where VesselID='$_GET['vesselid']' order
by Status DESC, Created ASC;
[code end]

Jeff

 -Original Message-
 From: Chris Shiflett [mailto:[EMAIL PROTECTED] 
 Sent: Friday, October 03, 2003 3:45 PM
 To: Jeff McKeon; php
 Subject: Re: [PHP] User Authentication Continued
 
 
 --- Jeff McKeon [EMAIL PROTECTED] wrote:
  The problem I'm having is with the $_GET variables. I guess I'm not 
  declaring them correctly. Do I need to set them as soon as the page 
  loads, and outside of any functions like so..
  
  [code start]
  $custid = $_GET['custid'];
  $custname = $_GET['custname'];
  [code end]
  
  Or do I need to declare them in each funtion?
  
  [code start]
  Function blah(){
  global $custname, $custid;
  
  $custid = $_GET['custid'];
  $custname = $_GET['custname'];
  DO SOME STUFF
  }
 
 $_GET is a superglobal, which just means that it is always 
 available everywhere. If you assign $custname to 
 $_GET['custname'], you now have a regular global variable (if 
 the assignment is done outside a function) or a local 
 variable (if the assignment is done within a function).
 
 So, either just use $_GET['custname'] everywhere you need it, 
 or work with the variable scope like you would have to if it 
 was anything else. For example:
 
 1. $foo = $_GET['foo'];
 2. $foo = 'bar';
 
 The variable scope of $foo would be the same, regardless of 
 which of those assignments were made.
 
 Hope that helps.
 
 Chris
 
 =
 My Blog
  http://shiflett.org/
 HTTP Developer's Handbook
  http://httphandbook.org/
 RAMP Training Courses
  http://www.nyphp.org/ramp
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Chris Shiflett
--- Jeff McKeon [EMAIL PROTECTED] wrote:
 $query=SELECT * from tickets where VesselID='$_GET['vesselid']'
 order by Status DESC, Created ASC;

$query = select * from tickets where vesselid = '{$_GET['vesselid']}'
  order by status desc, created asc;

Note the curly braces.

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Robert Cummings
On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote:
 Actually, here's the problem I get with using global variables in a
 mysql_query string..
 
 [error begin]
 PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE,
 expecting T_STRING or T_VARIABLE or T_NUM_STRING 
 [error end]
 
 [code begin]
 $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order
 by Status DESC, Created ASC;
 [code end]

The following will work:

$query=
SELECT * 
   .FROM tickets 
   .WHERE VesselID='.$_GET['vesselid'].' 
   .ORDER BY Status DESC, Created ASC;

Cheers,
Rob.
-- 
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for   |
| creating re-usable components quickly and easily.  |
`'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication Continued....

2003-10-03 Thread Curt Zirzow
* Thus wrote Jeff McKeon ([EMAIL PROTECTED]):
 Actually, here's the problem I get with using global variables in a
 mysql_query string..
 
 [error begin]
 PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE,
 expecting T_STRING or T_VARIABLE or T_NUM_STRING 
 [error end]
 
 [code begin]
 $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order
 by Status DESC, Created ASC;
 [code end]

Enclose the var in curly brackets:

$query=SELECT * from tickets where VesselID='{$_GET['vesselid']}' order


Curt
-- 
List Stats: http://zirzow.dyndns.org/html/mlists/php_general/

I used to think I was indecisive, but now I'm not so sure.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Jeff McKeon
One more mystery solved.

Thanks one and all

Jeff

 -Original Message-
 From: Robert Cummings [mailto:[EMAIL PROTECTED] 
 Sent: Friday, October 03, 2003 4:55 PM
 To: Jeff McKeon
 Cc: PHP-General; [EMAIL PROTECTED]
 Subject: RE: [PHP] User Authentication Continued
 
 
 On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote:
  Actually, here's the problem I get with using global variables in a 
  mysql_query string..
  
  [error begin]
  PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, 
  expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end]
  
  [code begin]
  $query=SELECT * from tickets where 
 VesselID='$_GET['vesselid']' order 
  by Status DESC, Created ASC; [code end]
 
 The following will work:
 
 $query=
 SELECT * 
.FROM tickets 
.WHERE VesselID='.$_GET['vesselid'].' 
.ORDER BY Status DESC, Created ASC;
 
 Cheers,
 Rob.
 -- 
 ..
 | InterJinn Application Framework - http://www.interjinn.com |
 ::
 | An application and templating framework for PHP. Boasting  | a 
 | powerful, scalable system for accessing system services  | such as 
 | forms, properties, sessions, and caches. InterJinn |
 | also provides an extremely flexible architecture for   |
 | creating re-usable components quickly and easily.  |
 `'
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Chris Shiflett
 --- Jeff McKeon [EMAIL PROTECTED] wrote:
  $query=SELECT * from tickets where VesselID='$_GET['vesselid']'
  order by Status DESC, Created ASC;
 
 $query = select * from tickets where vesselid = '{$_GET['vesselid']}'
   order by status desc, created asc;
 
 Note the curly braces.

I am trying to start making a conscious effort to alert people to potential
security risks associated with certain examples. So, I should have mentioned
that constructing an SQL statement with client data is terrible. While my
example was only meant to illustrate how to interpolate arrays within a string,
I do not want anyone to copy/paste this code and create a security
vulnerability.

So, what should really be done is something like this:

1. Validate $_GET['vesselid']
2. If it is valid, $clean['vesselid'] = $_GET['vesselid']
3. Construct the SQL statement using $clean['vesselid']

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Jeff McKeon
Good advice! Thanks!

Jeff

 -Original Message-
 From: Chris Shiflett [mailto:[EMAIL PROTECTED] 
 Sent: Friday, October 03, 2003 5:19 PM
 To: Jeff McKeon; php
 Subject: RE: [PHP] User Authentication Continued
 
 
  --- Jeff McKeon [EMAIL PROTECTED] wrote:
   $query=SELECT * from tickets where VesselID='$_GET['vesselid']' 
   order by Status DESC, Created ASC;
  
  $query = select * from tickets where vesselid = 
 '{$_GET['vesselid']}'
order by status desc, created asc;
  
  Note the curly braces.
 
 I am trying to start making a conscious effort to alert 
 people to potential security risks associated with certain 
 examples. So, I should have mentioned that constructing an 
 SQL statement with client data is terrible. While my example 
 was only meant to illustrate how to interpolate arrays within 
 a string, I do not want anyone to copy/paste this code and 
 create a security vulnerability.
 
 So, what should really be done is something like this:
 
 1. Validate $_GET['vesselid']
 2. If it is valid, $clean['vesselid'] = $_GET['vesselid']
 3. Construct the SQL statement using $clean['vesselid']
 
 Hope that helps.
 
 Chris
 
 =
 My Blog
  http://shiflett.org/
 HTTP Developer's Handbook
  http://httphandbook.org/
 RAMP Training Courses
  http://www.nyphp.org/ramp
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] User authentication

2003-10-02 Thread Jeff McKeon
Hey all, 

I'm building a website that will pull data from mysql db.  No problem
there. I've got a page to create users and store their info in a user
table on another db.  What I want to be able to do is have a user log in
and then only have access to view information that his profile allows.

I'm not quite sure how to do this however so I'm looking for advise to
point me in the right direction.  I suspect, that once validated via the
login page, I need to store the users permissions in a session variable
and then before each page loads, check to see if the page's permission
requierments match the user requirements stored in the session's
variable.  Is this correct? Are there any security risks with this as
this sight may one day be internet accessable.  If this isn't the
correct approach, what is?

Thanks,

Jeff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

 I'm not quite sure how to do this however so I'm looking for advise to
 point me in the right direction.  I suspect, that once validated via the
 login page, I need to store the users permissions in a session variable
 and then before each page loads, check to see if the page's permission
 requierments match the user requirements stored in the session's
 variable.  Is this correct? Are there any security risks with this as
 this sight may one day be internet accessable.  If this isn't the
 correct approach, what is?

Yes, you will need to set some session variables to hold any information
you want to check.  Make sure you do not store sensitive information in
those though.  In a site I just built, we are only storing the user's name,
user id number, and access level.  The site then checks every 60 seconds to
see if they are idle.  I track the session login times in a mysql table, and
have it do the math on how long they've been idle.  This isn't really a
common method from what I've seen though, and your security requirements
might be a bit different.  Our client wants the the site to log the EU out
if they've been idle for 15 minutes.  Some people just let PHP time out the
session, then when they go to click on something, it boots them back to the
login page.

Just remember to check for an active session each time a secure page loads.
Otherwise you'll have people bypassing login page.

For restricting what is shown on the page, there are many methods.  IF
structures, etc, just make sure are checking their access against what is
shown.

Does that help?

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Jeff McKeon
Dan,

That's great help and exactly what I'd like to do timeouts and all.  I
now just need to figure out he mechanics of the code for it and get a
better understanding of sessions.  I'm thinking in the user table I'll
have a bunch of boolean fields for different permissions that apply to
different pages etc.  To keep it simple at first I'll just have two
permissions read only and edit.  Read only users will not be allowed
to access pages where they can edit data.

How do you check for idle?  I suppose there is a built in variable that
you check against the value in the table.  How do I pull up or refer to
session variables?

Thank,

Jeff

 -Original Message-
 From: Dan Joseph [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, October 02, 2003 11:15 AM
 To: php
 Subject: RE: [PHP] User authentication
 
 
 Hi,
 
  I'm not quite sure how to do this however so I'm looking 
 for advise to 
  point me in the right direction.  I suspect, that once 
 validated via 
  the login page, I need to store the users permissions in a session 
  variable and then before each page loads, check to see if 
 the page's 
  permission requierments match the user requirements stored in the 
  session's variable.  Is this correct? Are there any security risks 
  with this as this sight may one day be internet accessable. 
  If this 
  isn't the correct approach, what is?
 
   Yes, you will need to set some session variables to 
 hold any information you want to check.  Make sure you do not 
 store sensitive information in those though.  In a site I 
 just built, we are only storing the user's name, user id 
 number, and access level.  The site then checks every 60 
 seconds to see if they are idle.  I track the session login 
 times in a mysql table, and have it do the math on how long 
 they've been idle.  This isn't really a common method from 
 what I've seen though, and your security requirements might 
 be a bit different.  Our client wants the the site to log the 
 EU out if they've been idle for 15 minutes.  Some people just 
 let PHP time out the session, then when they go to click on 
 something, it boots them back to the login page.
 
   Just remember to check for an active session each time 
 a secure page loads. Otherwise you'll have people bypassing 
 login page.
 
   For restricting what is shown on the page, there are 
 many methods.  IF structures, etc, just make sure are 
 checking their access against what is shown.
 
   Does that help?
 
 -Dan Joseph
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

 That's great help and exactly what I'd like to do timeouts and all.  I
 now just need to figure out he mechanics of the code for it and get a
 better understanding of sessions.  I'm thinking in the user table I'll
 have a bunch of boolean fields for different permissions that apply to
 different pages etc.  To keep it simple at first I'll just have two
 permissions read only and edit.  Read only users will not be allowed
 to access pages where they can edit data.

 How do you check for idle?  I suppose there is a built in variable that
 you check against the value in the table.  How do I pull up or refer to
 session variables?

Sessions are stored in the $_SESSION array.  A simple check would be:

if ($_SESSION['user_id'] ==  || is_null($_SESSION['user_id']))
redirect_to_index_function();

Where 'user_id' is, that would be the name of the session you created.
Just insert that at the top of each page (might be best suited in an include
file).

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

 How do you check for idle?  I suppose there is a built in variable that
 you check against the value in the table.  How do I pull up or refer to
 session variables?

Additionally, I also check to see if the date_out column in my sessions
table is -00-00 00:00:00, if not, I boot 'em and do a
session_destroy();.

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Jeff McKeon
Thanks for the advise! It's a big help.
I'll go play now and come back with more intelligent questions later!

Jeff

 -Original Message-
 From: Dan Joseph [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, October 02, 2003 11:32 AM
 To: Jeff McKeon; Dan Joseph; php
 Subject: RE: [PHP] User authentication
 
 
 Hi,
 
  That's great help and exactly what I'd like to do timeouts 
 and all.  I 
  now just need to figure out he mechanics of the code for it 
 and get a 
  better understanding of sessions.  I'm thinking in the user 
 table I'll 
  have a bunch of boolean fields for different permissions 
 that apply to 
  different pages etc.  To keep it simple at first I'll just have two 
  permissions read only and edit.  Read only users will not be 
  allowed to access pages where they can edit data.
 
  How do you check for idle?  I suppose there is a built in variable 
  that you check against the value in the table.  How do I pull up or 
  refer to session variables?
 
   Sessions are stored in the $_SESSION array.  A simple 
 check would be:
 
   if ($_SESSION['user_id'] ==  || 
 is_null($_SESSION['user_id'])) redirect_to_index_function();
 
   Where 'user_id' is, that would be the name of the 
 session you created. Just insert that at the top of each page 
 (might be best suited in an include file).
 
 -Dan Joseph
 
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Jeff McKeon
What is stored in the date_out column?  Is that one of the colums in
your own created table or a standard one?

Jeff

 -Original Message-
 From: Dan Joseph [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, October 02, 2003 11:34 AM
 To: php
 Subject: RE: [PHP] User authentication
 
 
 Hi,
 
  How do you check for idle?  I suppose there is a built in variable 
  that you check against the value in the table.  How do I pull up or 
  refer to session variables?
 
   Additionally, I also check to see if the date_out 
 column in my sessions table is -00-00 00:00:00, if not, I 
 boot 'em and do a session_destroy();.
 
 -Dan Joseph
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User authentication

2003-10-02 Thread Curt Zirzow
* Thus wrote Dan Joseph ([EMAIL PROTECTED]):
 Hi,
 
  That's great help and exactly what I'd like to do timeouts and all.  I
  now just need to figure out he mechanics of the code for it and get a
  better understanding of sessions.  I'm thinking in the user table I'll
  have a bunch of boolean fields for different permissions that apply to
  different pages etc.  To keep it simple at first I'll just have two
  permissions read only and edit.  Read only users will not be allowed
  to access pages where they can edit data.
 
  How do you check for idle?  I suppose there is a built in variable that
  you check against the value in the table.  How do I pull up or refer to
  session variables?
 
   Sessions are stored in the $_SESSION array.  A simple check would be:
 
   if ($_SESSION['user_id'] ==  || is_null($_SESSION['user_id']))
 redirect_to_index_function();
 
   Where 'user_id' is, that would be the name of the session you created.
 Just insert that at the top of each page (might be best suited in an include
 file).

I would suggest a require(), that way if the file can't be included
the script will fail at the require.


Curt
-- 
I used to think I was indecisive, but now I'm not so sure.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

 What is stored in the date_out column?  Is that one of the colums in
 your own created table or a standard one?

That's the SQL table that I use to track sessions.  Its one I created.  I
have a functon that does a simple SQL query:

SELECT date_out FROM sessions WHERE user_id = 12

Then I check to see if if date_out != -00-00 00:00:00 and log them out
if it doesn't.  This method is both good and bad.  (1) I have a master log
of all user logins.  (2) I can force a user to log out.  Overall, it was
just more work on the sessions.  I guess I'd recommend this method if you
have to keep strong security in mind.

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Jeff McKeon
Ok,

I've got a login page that has these funtions to set the userid and
password to session variables

[code start]
session_start();
if(!isset($userid)) {
login_form();
exit;
}
else {
session_register(userid, userpassword);
$username = auth_user($userid, $userpassword);
if(!$username) {
session_unregister(userid);
session_unregister(userpassword);
echo Authorization failed.  . 
 You must enter a valid userid and password
combo.  .
 Click on the following link to try
again.BR\n;
echo A HREF=\$PHP_SELF\login/ABR;
echo If you do not have login, please contact
Operations to obtain one.br\n;
exit;
}
else echo welcome, $username!;
}
[code end]

I then have a simple test page with the following code...

[code start]
?php
include ./register_functions.php;

if($_SESSION['userid'] == 'bob'){
Echo $_SESSION['userid'];
EchoAccess Denied Bobby boy!!!;
}
else {
echoOK, since it's not Bob, it's ok;
}
html_footer();
[code end]

The problem is that the $_SESSION['userid'] doesn't return anything on
this page..
Am I not calling the session variable correctly or not storing it
correctly?
In my php.ini I have globals turned off.  Does this effect it?

Thanks,

Jeff


 -Original Message-
 From: Dan Joseph [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, October 02, 2003 11:39 AM
 To: php
 Subject: RE: [PHP] User authentication
 
 
 Hi,
 
  What is stored in the date_out column?  Is that one of the 
 colums in 
  your own created table or a standard one?
 
   That's the SQL table that I use to track sessions.  Its 
 one I created.  I have a functon that does a simple SQL query:
 
   SELECT date_out FROM sessions WHERE user_id = 12
 
   Then I check to see if if date_out != -00-00 
 00:00:00 and log them out if it doesn't.  This method is both 
 good and bad.  (1) I have a master log of all user logins.  
 (2) I can force a user to log out.  Overall, it was just more 
 work on the sessions.  I guess I'd recommend this method if 
 you have to keep strong security in mind.
 
 -Dan Joseph
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

 The problem is that the $_SESSION['userid'] doesn't return anything on
 this page..
 Am I not calling the session variable correctly or not storing it
 correctly?
 In my php.ini I have globals turned off.  Does this effect it?

Hi, yeah, its my understanding (and someone can correct me if I am wrong..)
that if you have that turned off, then you can't use session_register().
Instead, do $_SESSION['userid'] = 10; and see if that works.

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Ford, Mike [LSS]
On 02 October 2003 17:27, Jeff McKeon wrote:

 Ok,
 
 I've got a login page that has these funtions to set the userid and
 password to session variables
 
 [code start]
 session_start();
   if(!isset($userid)) {
   login_form();
   exit;
 }
 else {
   session_register(userid, userpassword);
   $username = auth_user($userid, $userpassword);
   if(!$username) {
   session_unregister(userid);
   session_unregister(userpassword);
   echo Authorization failed.  .
You must enter a valid userid and password
 combo.  .
Click on the following link to try
 again.BR\n;
   echo A HREF=\$PHP_SELF\login/ABR;
   echo If you do not have login, please contact
 Operations to obtain one.br\n;
   exit;
   }
   else echo welcome, $username!;
 }
 [code end]
 
 I then have a simple test page with the following code...
 
 [code start]
 ?php
 include ./register_functions.php;
 
 if($_SESSION['userid'] == 'bob'){
   Echo $_SESSION['userid'];
   EchoAccess Denied Bobby boy!!!;
   }
   else {
   echoOK, since it's not Bob, it's ok;
   }
 html_footer();
 [code end]
 
 The problem is that the $_SESSION['userid'] doesn't return anything
 on this page.. Am I not calling the session variable correctly or not
 storing it correctly? In my php.ini I have globals turned off.  Does
 this effect it? 

(1) I don't see a session_start() on the second page (unless it's in
register_functions.php?).

(2) I would advise not mixing $_SESSION and session_register() -- it's
problematical in some situations.  Just stick to using the $_SESSION array.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning  Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

 (1) I don't see a session_start() on the second page (unless it's in
 register_functions.php?).

Old habbits die hard.  You have no idea how many times I forget to put this
at the top of a page.  Thanks for pointing that out.

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Jeff McKeon

 
 On 02 October 2003 17:27, Jeff McKeon wrote:
 
  Ok,
  
  I've got a login page that has these funtions to set the userid and 
  password to session variables
  
  [code start]
  session_start();
  if(!isset($userid)) {
  login_form();
  exit;
  }
  else {
  session_register(userid, userpassword);
  $username = auth_user($userid, $userpassword);
  if(!$username) {
  session_unregister(userid);
  session_unregister(userpassword);
  echo Authorization failed.  .
   You must enter a valid userid and password
  combo.  .
   Click on the following link to try
  again.BR\n;
  echo A HREF=\$PHP_SELF\login/ABR;
  echo If you do not have login, please contact
  Operations to obtain one.br\n;
  exit;
  }
  else echo welcome, $username!;
  }
  [code end]
  
  I then have a simple test page with the following code...
  
  [code start]
  ?php
  include ./register_functions.php;
  
  if($_SESSION['userid'] == 'bob'){
  Echo $_SESSION['userid'];
  EchoAccess Denied Bobby boy!!!;
  }
  else {
  echoOK, since it's not Bob, it's ok;
  }
  html_footer();
  [code end]
  
  The problem is that the $_SESSION['userid'] doesn't return 
 anything on 
  this page.. Am I not calling the session variable correctly or not 
  storing it correctly? In my php.ini I have globals turned 
 off.  Does 
  this effect it?
 
 (1) I don't see a session_start() on the second page (unless 
 it's in register_functions.php?).
 

OK, including session_start(); at the top of the test_auth.php page
worked.

 (2) I would advise not mixing $_SESSION and 
 session_register() -- it's problematical in some situations.  
 Just stick to using the $_SESSION array.
 

I'm not quite sure what you mean here, can you give an example or
elaborate.  Sorry, real newbie here... :o)

Thanks,

Jeff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User authentication

2003-10-02 Thread Jason Wong
On Friday 03 October 2003 01:50, Jeff McKeon wrote:

  (2) I would advise not mixing $_SESSION and
  session_register() -- it's problematical in some situations.
  Just stick to using the $_SESSION array.

 I'm not quite sure what you mean here, can you give an example or
 elaborate.  Sorry, real newbie here... :o)

Examples and elaboration:

  manual  Session handling functions

-- 
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
According to all the latest reports, there was no truth in any of the
earlier reports.
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Jeff McKeon
 Hi,
 
  What is stored in the date_out column?  Is that one of the 
 colums in 
  your own created table or a standard one?
 
   That's the SQL table that I use to track sessions.  Its 
 one I created.  I have a functon that does a simple SQL query:
 
   SELECT date_out FROM sessions WHERE user_id = 12
 
   Then I check to see if if date_out != -00-00 
 00:00:00 and log them out if it doesn't.  This method is both 
 good and bad.  (1) I have a master log of all user logins.  
 (2) I can force a user to log out.  Overall, it was just more 
 work on the sessions.  I guess I'd recommend this method if 
 you have to keep strong security in mind.
 

So when a user logs in you write a user_id and datestamp to a field in
your sessions table.  Every time the person accesses a page you update
the datestamp in that record.  Then you run a function that checks every
X minutes if the timestamp is older than X minutes and if so you log the
person out?  Is this correct?  How exactly do you log them out?  By
issuing a command to clear the session variables saved during login,
thus causing function on each page that checks for valid login to fail?

Thanks,

Jeff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User authentication

2003-10-02 Thread Jason Wong
On Friday 03 October 2003 01:59, Jeff McKeon wrote:

 So when a user logs in you write a user_id and datestamp to a field in
 your sessions table.  Every time the person accesses a page you update
 the datestamp in that record.  Then you run a function that checks every
 X minutes if the timestamp is older than X minutes and if so you log the
 person out?  Is this correct? 

Wrong order. First, check whether timestamp is past it's sell by date, if so 
destroy the session then redirect them to the login page, otherwise refresh 
the timestamp.

 How exactly do you log them out?  By
 issuing a command to clear the session variables saved during login,
 thus causing function on each page that checks for valid login to fail?

Yes. session_destroy().

-- 
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
How do I love thee?  My accumulator overflows.
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

 So when a user logs in you write a user_id and datestamp to a field in
 your sessions table.  Every time the person accesses a page you update
 the datestamp in that record.  Then you run a function that checks every
 X minutes if the timestamp is older than X minutes and if so you log the
 person out?  Is this correct?  How exactly do you log them out?  By
 issuing a command to clear the session variables saved during login,
 thus causing function on each page that checks for valid login to fail?

Yeah, that's correct.  There is a date_idle column in the database.  That
gets updated everytime they move to a new page, or refresh the one they are
on.  To time them out, I simply set the date_out column = Now(), issue a
session_destroy() and redirect them back to the login page.

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

  (2) I would advise not mixing $_SESSION and
  session_register() -- it's problematical in some situations.
  Just stick to using the $_SESSION array.

 I'm not quite sure what you mean here, can you give an example or
 elaborate.  Sorry, real newbie here... :o)

$_SESSION['userid'] = 254;

Where 254 is, that is the value you want to assign it.  Its just an array.
Think of it more as a global variable accross the entire site.

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User authentication

2003-10-02 Thread Didier McGillis
for those of you who are writing apps and looking at this and you have 
customers adding things to their session such as a cart or something else 
and you destroy the session the information that they were keeping in their 
session would be lost so if you dont want pissed off customers calling 
saying they lost something after leaving their desk for a few minutes then 
you want to make sure that the information such as cart or whatever is 
stored elsewhere and has their user id tied to it.  So when your laying out 
your site, and your destroying sessions make sure that unless that is the 
designed intent (such as login information) that your arent destroying 
something more imporatant like someones shopping cart filling with $3000 
worth of merch, yes I know with exchange rate thats only worth $.25 to 
Americans.


Yes. session_destroy().

--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
How do I love thee?  My accumulator overflows.
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
_
Protect your PC - get McAfee.com VirusScan Online  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


RE: [PHP] User authentication

2003-10-02 Thread Jeff McKeon
includepunctuation;

Jeff


 -Original Message-
 From: Didier McGillis [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, October 02, 2003 2:36 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [PHP] User authentication
 
 
 for those of you who are writing apps and looking at this and 
 you have 
 customers adding things to their session such as a cart or 
 something else 
 and you destroy the session the information that they were 
 keeping in their 
 session would be lost so if you dont want pissed off 
 customers calling 
 saying they lost something after leaving their desk for a few 
 minutes then 
 you want to make sure that the information such as cart or 
 whatever is 
 stored elsewhere and has their user id tied to it.  So when 
 your laying out 
 your site, and your destroying sessions make sure that unless 
 that is the 
 designed intent (such as login information) that your arent 
 destroying 
 something more imporatant like someones shopping cart filling 
 with $3000 
 worth of merch, yes I know with exchange rate thats only 
 worth $.25 to 
 Americans.
 
 
 Yes. session_destroy().
 
 --
 Jason Wong - Gremlins Associates - www.gremlins.biz
 Open Source Software Systems Integrators
 * Web Design  Hosting * Internet  Intranet Applications 
 Development *
 --
 Search the list archives before you post 
 http://marc.theaimsgroup.com/?l=php-general
 --
 /*
 How do I love thee?  My accumulator overflows.
 */
 
 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 
 _
 Protect your PC - get McAfee.com VirusScan Online  
 http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Jeff McKeon

 Hi,
 
   (2) I would advise not mixing $_SESSION and
   session_register() -- it's problematical in some situations. Just 
   stick to using the $_SESSION array.
 
  I'm not quite sure what you mean here, can you give an example or 
  elaborate.  Sorry, real newbie here... :o)
 
   $_SESSION['userid'] = 254;
 
   Where 254 is, that is the value you want to assign it.  
 Its just an array. Think of it more as a global variable 
 accross the entire site.
 
 -Dan Joseph

So I've replaced my session_register(userid, userpassword);

With

$_SESSION['userid'] = $userid;
$_SESSION['userpassword'] = $userpassword;

And my:

session_unregister(userid);
session_unregister(userpassword);

With

Session_destroy();

I've also added a field to the user table called CanEdit that is set
to 1 or 0.

When the authentication function is called, I run a query that updates
the users idle timestamp, get's his/her CanEdit value and stores it to
$_SESSION['CanEdit'], and returns the username.

[code begin]

function auth_user($userid, $userpassword) {

global $default_dbname, $user_tablename;

$link_id = db_connect($default_dbname);
$query = SELECT username FROM $user_tablename WHERE userid =
'$userid'  userpassword = password('$userpassword');
$result = mysql_query($query);
if(!mysql_num_rows($result)) return 0;
else {
//set idle timestamp (using unixtime)
$stamp = gmmktime();
$query2 = update $user_tablename set idle_time = $stamp
where userid = '$userid';
$result2 = mysql_query($query2);

//get the users CanEdit value
$query3 = select CanEdit from $user_tablename where
userid = '$userid';
$result3 = mysql_query($query3);
$query_data3 = mysql_fetch_row($result3);
$_SESSION['CanEdit'] = $query_data3[0];

//Return the users name to the calling page
$query_data=mysql_fetch_row($result);
return $query_data[0];
}
}
[code end]

Then when any new page loads it first checks to see if the user has a
CanEdit value of 1, if not it boots them back to the page they came
from, if so it runs a query to check their idle timestamp and subtrack
it from the current unixtimestamp to find the difference.  If it's
greater than X they are booted back to the login screen, if it's less
than X the page is loaded..

Anything look wrong or insecure with all of this?

Thanks for all the help!!!

jeff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Dan Joseph
Hi,

 Then when any new page loads it first checks to see if the user has a
 CanEdit value of 1, if not it boots them back to the page they came
 from, if so it runs a query to check their idle timestamp and subtrack
 it from the current unixtimestamp to find the difference.  If it's
 greater than X they are booted back to the login screen, if it's less
 than X the page is loaded..

 Anything look wrong or insecure with all of this?

This is how I'm doing it.  We had it auditted by a security company.  It
passed with flying colors.

-Dan Joseph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User authentication

2003-10-02 Thread Chris Shiflett
--- Jeff McKeon [EMAIL PROTECTED] wrote:
 $_SESSION['userid'] = $userid;
 $_SESSION['userpassword'] = $userpassword;

[snip]

 Anything look wrong or insecure with all of this?

The only thing that catches my attention is your assignments for
$_SESSION['userid'] and $_SESSION['userpassword']. I assume you are performing
some strict data validation on $userid and $userpassword before this
assignment, right? If not, this presents a significant risk, because $_SESSION
is a trusted array (it comes from the server, not the client).

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] User Authentication

2003-03-18 Thread shaun
Hi,

Using the following code I am able to authenticate which type of user is
visiting my page, however if I try to log in again with a different type of
user the session variables still assume that the original user was logged
in, is there a way to reset the session variables, I have tried
session_destroy() and session_unset() but without success...

?php
require(dbconnect.php);

// Assume user is not authenticated
$auth = false;

// Formulate the query
$query = SELECT * FROM WMS_User WHERE
  User_Username = '$_POST[username]' AND
  User_Password = '$_POST[password]';

// Execute the query and put results in $result
$result = mysql_query( $query )
  or die ( 'Unable to execute query.' );

// Get number of rows in $result.
$num = mysql_numrows( $result );

if ( $num != 0 ) {

 // A matching row was found - the user is authenticated.
 $auth = true;

 //get the data for the session variables
 $suser_name   = mysql_result($result, 0, User_Name);
 $suser_password = mysql_result($result, 0, User_Password);
 $stype_level   = mysql_result($result, 0, User_Type);

 $ses_name  = $suser_name;
 $ses_pass  = $suser_password;
 $ses_level = $stype_level;

 session_register(ses_name);
 session_register(ses_pass);
 session_register(ses_level);
}

//if user isn't authenticated redirect to appropriate page
if ( ! $auth ) {
include(index.php);
 exit;
}

//if user is authenticated, include the main menu
else{
 include(home.php);
}

//close connection
mysql_close();
?

thanks for your help



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication

2003-03-18 Thread Chris Shiflett
--- shaun [EMAIL PROTECTED] wrote:
 Using the following code I am able to authenticate which type of user is
 visiting my page, however if I try to log in again with a different type of
 user the session variables still assume that the original user was logged
 in, is there a way to reset the session variables, I have tried
 session_destroy() and session_unset() but without success...
 
 ?php
 require(dbconnect.php);
 
 // Assume user is not authenticated
 $auth = false;
 
 // Formulate the query
 $query = SELECT * FROM WMS_User WHERE
   User_Username = '$_POST[username]' AND
   User_Password = '$_POST[password]';
 
 // Execute the query and put results in $result
 $result = mysql_query( $query )
   or die ( 'Unable to execute query.' );
 
 // Get number of rows in $result.
 $num = mysql_numrows( $result );
 
 if ( $num != 0 ) {
 
  // A matching row was found - the user is authenticated.
  $auth = true;
 
  //get the data for the session variables
  $suser_name   = mysql_result($result, 0, User_Name);
  $suser_password = mysql_result($result, 0, User_Password);
  $stype_level   = mysql_result($result, 0, User_Type);
 
  $ses_name  = $suser_name;
  $ses_pass  = $suser_password;
  $ses_level = $stype_level;
 
  session_register(ses_name);
  session_register(ses_pass);
  session_register(ses_level);

This is the moment where you lose your new session data. You need to register
your session variables before you use them. At this point, PHP retrieves the
session data that is saved for you, and you lose all of the stuff you did
above.

Chris

=
Become a better Web developer with the HTTP Developer's Handbook
http://httphandbook.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication

2003-03-18 Thread shaun

Chris Shiflett [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 --- shaun [EMAIL PROTECTED] wrote:
  Using the following code I am able to authenticate which type of user is
  visiting my page, however if I try to log in again with a different type
of
  user the session variables still assume that the original user was
logged
  in, is there a way to reset the session variables, I have tried
  session_destroy() and session_unset() but without success...
 
  ?php
  require(dbconnect.php);
 
  // Assume user is not authenticated
  $auth = false;
 
  // Formulate the query
  $query = SELECT * FROM WMS_User WHERE
User_Username = '$_POST[username]' AND
User_Password = '$_POST[password]';
 
  // Execute the query and put results in $result
  $result = mysql_query( $query )
or die ( 'Unable to execute query.' );
 
  // Get number of rows in $result.
  $num = mysql_numrows( $result );
 
  if ( $num != 0 ) {
 
   // A matching row was found - the user is authenticated.
   $auth = true;
 
   //get the data for the session variables
   $suser_name   = mysql_result($result, 0, User_Name);
   $suser_password = mysql_result($result, 0, User_Password);
   $stype_level   = mysql_result($result, 0, User_Type);
 
   $ses_name  = $suser_name;
   $ses_pass  = $suser_password;
   $ses_level = $stype_level;
 
   session_register(ses_name);
   session_register(ses_pass);
   session_register(ses_level);

 This is the moment where you lose your new session data. You need to
register
 your session variables before you use them. At this point, PHP retrieves
the
 session data that is saved for you, and you lose all of the stuff you did
 above.

 Chris

 =
 Become a better Web developer with the HTTP Developer's Handbook
 http://httphandbook.org/

sorry but you have lost me, surely the session_register(); function is
storing what I have done above this point, if not then how would I store the
new values instead?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication

2003-03-18 Thread olinux
use:
$_SESSION['ses_name'] = 'something';
$_SESSION['ses_pass'] = 'something';
$_SESSION['ses_level'] = 'something';

instead of:
 session_register(ses_name);
 session_register(ses_pass);
 session_register(ses_level);

All $_SESSION entries are automatically registered.

See the following for more info
http://us2.php.net/manual/en/security.registerglobals.php
http://us2.php.net/manual/en/function.session-register.php

olinux

--- shaun [EMAIL PROTECTED] wrote:
 
 Chris Shiflett [EMAIL PROTECTED] wrote in message

news:[EMAIL PROTECTED]
  --- shaun [EMAIL PROTECTED] wrote:
   Using the following code I am able to
 authenticate which type of user is
   visiting my page, however if I try to log in
 again with a different type
 of
   user the session variables still assume that the
 original user was
 logged
   in, is there a way to reset the session
 variables, I have tried
   session_destroy() and session_unset() but
 without success...
  
   ?php
   require(dbconnect.php);
  
   // Assume user is not authenticated
   $auth = false;
  
   // Formulate the query
   $query = SELECT * FROM WMS_User WHERE
 User_Username = '$_POST[username]' AND
 User_Password = '$_POST[password]';
  
   // Execute the query and put results in $result
   $result = mysql_query( $query )
 or die ( 'Unable to execute query.' );
  
   // Get number of rows in $result.
   $num = mysql_numrows( $result );
  
   if ( $num != 0 ) {
  
// A matching row was found - the user is
 authenticated.
$auth = true;
  
//get the data for the session variables
$suser_name   = mysql_result($result, 0,
 User_Name);
$suser_password = mysql_result($result, 0,
 User_Password);
$stype_level   = mysql_result($result, 0,
 User_Type);
  
$ses_name  = $suser_name;
$ses_pass  = $suser_password;
$ses_level = $stype_level;
  
session_register(ses_name);
session_register(ses_pass);
session_register(ses_level);
 
  This is the moment where you lose your new session
 data. You need to
 register
  your session variables before you use them. At
 this point, PHP retrieves
 the
  session data that is saved for you, and you lose
 all of the stuff you did
  above.
 
  Chris
 
  =
  Become a better Web developer with the HTTP
 Developer's Handbook
  http://httphandbook.org/
 
 sorry but you have lost me, surely the
 session_register(); function is
 storing what I have done above this point, if not
 then how would I store the
 new values instead?
 
 
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 


__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication

2003-03-18 Thread Chris Shiflett
--- shaun [EMAIL PROTECTED] wrote:
...
$ses_name  = $suser_name;
$ses_pass  = $suser_password;
$ses_level = $stype_level;
  
session_register(ses_name);
session_register(ses_pass);
session_register(ses_level);
 
  This is the moment where you lose your new session data. You need to
  register your session variables before you use them. At this point, PHP
  retrieves the session data that is saved for you, and you lose all of the
  stuff you did above.
...
 sorry but you have lost me, surely the session_register(); function is
 storing what I have done above this point, if not then how would I store the
 new values instead?

How is a function supposed to do anything before it is called? I don't
understand how you come to that conclusion.

The session_register() function lets PHP know that you want a particular
variable registered in the current session. If the variable already exists, it
will retrieve it for you. This is how you are able to use a session variable on
another page.

If you don't udnerstand this, you might want to just use session_register() at
the top of your script(s) to keep yourself from making this particular mistake.
However, I strongly suggest researching sessions a lot more, or you will find
it frustratingly difficult to solve session problems without a good
understanding of what is going on.

Chris

=
Become a better Web developer with the HTTP Developer's Handbook
http://httphandbook.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication

2003-03-18 Thread shaun
i have changed the code to:

Olinux [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 use:
 $_SESSION['ses_name'] = 'something';
 $_SESSION['ses_pass'] = 'something';
 $_SESSION['ses_level'] = 'something';

 instead of:
  session_register(ses_name);
  session_register(ses_pass);
  session_register(ses_level);

 All $_SESSION entries are automatically registered.

 See the following for more info
 http://us2.php.net/manual/en/security.registerglobals.php
 http://us2.php.net/manual/en/function.session-register.php

 olinux

 --- shaun [EMAIL PROTECTED] wrote:
 
  Chris Shiflett [EMAIL PROTECTED] wrote in message
 
 news:[EMAIL PROTECTED]
   --- shaun [EMAIL PROTECTED] wrote:
Using the following code I am able to
  authenticate which type of user is
visiting my page, however if I try to log in
  again with a different type
  of
user the session variables still assume that the
  original user was
  logged
in, is there a way to reset the session
  variables, I have tried
session_destroy() and session_unset() but
  without success...
   
?php
require(dbconnect.php);
   
// Assume user is not authenticated
$auth = false;
   
// Formulate the query
$query = SELECT * FROM WMS_User WHERE
  User_Username = '$_POST[username]' AND
  User_Password = '$_POST[password]';
   
// Execute the query and put results in $result
$result = mysql_query( $query )
  or die ( 'Unable to execute query.' );
   
// Get number of rows in $result.
$num = mysql_numrows( $result );
   
if ( $num != 0 ) {
   
 // A matching row was found - the user is
  authenticated.
 $auth = true;
   
 //get the data for the session variables
 $suser_name   = mysql_result($result, 0,
  User_Name);
 $suser_password = mysql_result($result, 0,
  User_Password);
 $stype_level   = mysql_result($result, 0,
  User_Type);
   
 $ses_name  = $suser_name;
 $ses_pass  = $suser_password;
 $ses_level = $stype_level;
   
 session_register(ses_name);
 session_register(ses_pass);
 session_register(ses_level);
  
   This is the moment where you lose your new session
  data. You need to
  register
   your session variables before you use them. At
  this point, PHP retrieves
  the
   session data that is saved for you, and you lose
  all of the stuff you did
   above.
  
   Chris
  
   =
   Become a better Web developer with the HTTP
  Developer's Handbook
   http://httphandbook.org/
 
  sorry but you have lost me, surely the
  session_register(); function is
  storing what I have done above this point, if not
  then how would I store the
  new values instead?
 
 
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 


 __
 Do you Yahoo!?
 Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
 http://platinum.yahoo.com



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication

2003-03-18 Thread shaun
i have changed the code to:

 //register the session variables
 $_SESSION['ses_name']  = mysql_result($result, 0, User_Name);
 $_SESSION['ses_pass']  = mysql_result($result, 0, User_Password);
 $_SESSION['ses_level'] = mysql_result($result, 0, User_Type);

but if i try to log in again the session variables don't change, any ideas?


Olinux [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 use:
 $_SESSION['ses_name'] = 'something';
 $_SESSION['ses_pass'] = 'something';
 $_SESSION['ses_level'] = 'something';

 instead of:
  session_register(ses_name);
  session_register(ses_pass);
  session_register(ses_level);

 All $_SESSION entries are automatically registered.

 See the following for more info
 http://us2.php.net/manual/en/security.registerglobals.php
 http://us2.php.net/manual/en/function.session-register.php

 olinux

 --- shaun [EMAIL PROTECTED] wrote:
 
  Chris Shiflett [EMAIL PROTECTED] wrote in message
 
 news:[EMAIL PROTECTED]
   --- shaun [EMAIL PROTECTED] wrote:
Using the following code I am able to
  authenticate which type of user is
visiting my page, however if I try to log in
  again with a different type
  of
user the session variables still assume that the
  original user was
  logged
in, is there a way to reset the session
  variables, I have tried
session_destroy() and session_unset() but
  without success...
   
?php
require(dbconnect.php);
   
// Assume user is not authenticated
$auth = false;
   
// Formulate the query
$query = SELECT * FROM WMS_User WHERE
  User_Username = '$_POST[username]' AND
  User_Password = '$_POST[password]';
   
// Execute the query and put results in $result
$result = mysql_query( $query )
  or die ( 'Unable to execute query.' );
   
// Get number of rows in $result.
$num = mysql_numrows( $result );
   
if ( $num != 0 ) {
   
 // A matching row was found - the user is
  authenticated.
 $auth = true;
   
 //get the data for the session variables
 $suser_name   = mysql_result($result, 0,
  User_Name);
 $suser_password = mysql_result($result, 0,
  User_Password);
 $stype_level   = mysql_result($result, 0,
  User_Type);
   
 $ses_name  = $suser_name;
 $ses_pass  = $suser_password;
 $ses_level = $stype_level;
   
 session_register(ses_name);
 session_register(ses_pass);
 session_register(ses_level);
  
   This is the moment where you lose your new session
  data. You need to
  register
   your session variables before you use them. At
  this point, PHP retrieves
  the
   session data that is saved for you, and you lose
  all of the stuff you did
   above.
  
   Chris
  
   =
   Become a better Web developer with the HTTP
  Developer's Handbook
   http://httphandbook.org/
 
  sorry but you have lost me, surely the
  session_register(); function is
  storing what I have done above this point, if not
  then how would I store the
  new values instead?
 
 
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 


 __
 Do you Yahoo!?
 Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
 http://platinum.yahoo.com



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] PHP: User Authentication Script

2002-08-27 Thread Anthony Ritter

Thank you for the reply Farianto.

Exactly where in the

httpd.conf file

should I insert that line?

If you could copy and paste the line *above* and *below* in the httpd.conf
file that already exists so I know the location I would appreciate it.

Thanks again.
TR

for example:

# blahblah1

Load Module PHP4_Module c:/Apache/php/sapi/php4apache.dll  // insert this
line

# blahblah2
..


- Original Message -
From: Farianto Kurniawan [EMAIL PROTECTED]
To: Anthony Ritter [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Monday, August 26, 2002 10:36 PM
Subject: Re: [PHP] PHP: User Authentication Script


 ...hello .. Mr.Anthony Ritter ..

 Actually I have faced the same problem with you but right now I can fix it
.

 What you must do is :
 1. Turn off your Apache Web Server
 2. Edit your httpd.conf file from folder conf under Apache folder.
 3. Please add this sentence  --   LoadModule php4_module
 c:/Apache/php/sapi/php4apache.dll   -- in it. (the important thing   that
 php4apache.dll is in that directory , if itsn't change it to the right
 position.
 4. Save it
 5. Turn Your Apache Web Server on.

 I hope it can work know...

 Regards,

 Farianto.K
 PT.Yosibara Inti Corpora
 Phone: 62-21-5267645/46
 Indonesia




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] PHP: User Authentication Script

2002-08-27 Thread @ Edwin
You can insert the line at the very end of your httpd.conf file...

I'm sure you can find more info here...

  http://www.php.net/manual/en/install.windows.php

- E


Thank you for the reply Farianto.

Exactly where in the

httpd.conf file

should I insert that line?

If you could copy and paste the line *above* and *below* in the httpd.conf
file that already exists so I know the location I would appreciate it.

Thanks again.
TR

for example:

# blahblah1

Load Module PHP4_Module c:/Apache/php/sapi/php4apache.dll  // insert this
line

# blahblah2
..


- Original Message -
From: Farianto Kurniawan [EMAIL PROTECTED]
To: Anthony Ritter [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Monday, August 26, 2002 10:36 PM
Subject: Re: [PHP] PHP: User Authentication Script


  ...hello .. Mr.Anthony Ritter ..
 
  Actually I have faced the same problem with you but right now I can fix 
it
.
 
  What you must do is :
  1. Turn off your Apache Web Server
  2. Edit your httpd.conf file from folder conf under Apache folder.
  3. Please add this sentence  --   LoadModule php4_module
  c:/Apache/php/sapi/php4apache.dll   -- in it. (the important thing   
that
  php4apache.dll is in that directory , if itsn't change it to the right
  position.
  4. Save it
  5. Turn Your Apache Web Server on.
 
  I hope it can work know...
 
  Regards,
 
  Farianto.K
  PT.Yosibara Inti Corpora
  Phone: 62-21-5267645/46
  Indonesia




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




_
$B2q0wEPO?$OL5NA!&=<<B$7$?=PIJ%"%$%F%`$J$i(B MSN $B%*!<%/%7%g%s(B 
http://auction.msn.co.jp/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


RE: [PHP] PHP: User Authentication Script

2002-08-27 Thread Vail, Warren

Sounds like you've identified your problem.  I have never installed a module
but you can check out http://www.apache.org/ for some help installing
modules on the Apache server.  I believe it involves compiling the server,
for Windows platforms I believe you need Visual C++ 6.0.

If that is to technically demanding you can checkout several pre-packaged
distributions of Apache, PHP, MySQL, Perl and the like, looking for one
where PHP is installed as a Mod (don't personally know of any).  For a
fairly complete list of packages check out;

http://www.hotscripts.com/PHP/Software_and_Servers/Installation_Kits/

Sooner, or later, you will probably reach a point where it will become more
expedient for you to write your own authentication, which is what most
application developers do.  This has the advantage of allowing you to set up
your application security independent of your server or database security.

hope this helps,

Warren Vail
Tools, Metrics  Quality Processes

-Original Message-
From: Anthony Ritter [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 26, 2002 8:02 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] PHP: User Authentication Script


In my
phpinfo()

I get:
php version 4.0.0

Server_APICGI
..

Is this why it is not working?

If so, how does one install PHP as a module?

Please advise.
Thank you.

TR
...

Warren Vail wrote in message:

 http://www.php.net/manual/en/features.http-auth.php also mentions that
http
 auth does not work when running php as a CGI, which may also give these
 symptoms.




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] PHP: User Authentication Script

2002-08-26 Thread Anthony Ritter

Using Apache / Windows 98 / PHP / mySQL

The following script is from Julie Meloni's book PHP Essentials
(PrimaTech) on page 138.

I've copied the script from her site and tried to run it and get the
following:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable
to complete your request.
Please contact the server administrator, [EMAIL PROTECTED] and inform them of
the time the error occurred, and anything you might have done that may have
caused the error.

More information about this error may be available in the server error log.

--

Apache/1.3.12 Server at localhost Port 80
---

The following is the script:

?

if (!isset($PHP_AUTH_USER))


header('WWW-Authenticate: Basic realm=My Private Stuff');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;

} else


if (($PHP_AUTH_USER == jane)  ($PHP_AUTH_PW == mypassword))


echo PYou have entered this username: $PHP_AUTH_USERbr;
echo You have entered this password: $PHP_AUTH_PWbr;
echo The authorization type is: $PHP_AUTH_TYPE./p;

} else


echo You are not authorized!;

}

}

?




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] PHP: User Authentication Script

2002-08-26 Thread Vail, Warren

What does your apache server log say?


Warren Vail
Tools, Metrics  Quality Processes
(415) 667-7814
Pager (877) 774-9891
215 Fremont 02-658


-Original Message-
From: Anthony Ritter [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 26, 2002 6:51 PM
To: [EMAIL PROTECTED]
Subject: [PHP] PHP: User Authentication Script


Using Apache / Windows 98 / PHP / mySQL

The following script is from Julie Meloni's book PHP Essentials
(PrimaTech) on page 138.

I've copied the script from her site and tried to run it and get the
following:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable
to complete your request.
Please contact the server administrator, [EMAIL PROTECTED] and inform them of
the time the error occurred, and anything you might have done that may have
caused the error.

More information about this error may be available in the server error log.

--

Apache/1.3.12 Server at localhost Port 80
---

The following is the script:

?

if (!isset($PHP_AUTH_USER))


header('WWW-Authenticate: Basic realm=My Private Stuff');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;

} else


if (($PHP_AUTH_USER == jane)  ($PHP_AUTH_PW == mypassword))


echo PYou have entered this username: $PHP_AUTH_USERbr;
echo You have entered this password: $PHP_AUTH_PWbr;
echo The authorization type is: $PHP_AUTH_TYPE./p;

} else


echo You are not authorized!;

}

}

?




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] PHP: User Authentication Script

2002-08-26 Thread Anthony Ritter

Thanks for the reply Warren.

It says...

[Mon Aug 26 20:46:13 2002] [error] [client 127.0.0.1] malformed header from
script. Bad header=HTTP/1.0 401 Unauthorized: c:/php4/php.exe
...


- Original Message -
From: Vail, Warren [EMAIL PROTECTED]
To: 'Anthony Ritter' [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Monday, August 26, 2002 7:49 PM
Subject: RE: [PHP] PHP: User Authentication Script


 What does your apache server log say?


 Warren Vail
 Tools, Metrics  Quality Processes
 (415) 667-7814
 Pager (877) 774-9891
 215 Fremont 02-658
.

 -Original Message-
 From: Anthony Ritter [mailto:[EMAIL PROTECTED]]
 Sent: Monday, August 26, 2002 6:51 PM
 To: [EMAIL PROTECTED]
 Subject: [PHP] PHP: User Authentication Script


 Using Apache / Windows 98 / PHP / mySQL

 The following script is from Julie Meloni's book PHP Essentials
 (PrimaTech) on page 138.

 I've copied the script from her site and tried to run it and get the
 following:

 Internal Server Error
 The server encountered an internal error or misconfiguration and was
unable
 to complete your request.
 Please contact the server administrator, [EMAIL PROTECTED] and inform them of
 the time the error occurred, and anything you might have done that may
have
 caused the error.

 More information about this error may be available in the server error
log.

 --

 Apache/1.3.12 Server at localhost Port 80
 ---

 The following is the script:

 ?

 if (!isset($PHP_AUTH_USER))


 header('WWW-Authenticate: Basic realm=My Private Stuff');
 header('HTTP/1.0 401 Unauthorized');
 echo 'Authorization Required.';
 exit;

 } else


 if (($PHP_AUTH_USER == jane)  ($PHP_AUTH_PW == mypassword))


 echo PYou have entered this username: $PHP_AUTH_USERbr;
 echo You have entered this password: $PHP_AUTH_PWbr;
 echo The authorization type is: $PHP_AUTH_TYPE./p;

 } else


 echo You are not authorized!;

 }

 }

 ?




Warren Vail [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 What does your apache server log say?


 Warren Vail
 Tools, Metrics  Quality Processes
 (415) 667-7814
 Pager (877) 774-9891
 215 Fremont 02-658


 -Original Message-
 From: Anthony Ritter [mailto:[EMAIL PROTECTED]]
 Sent: Monday, August 26, 2002 6:51 PM
 To: [EMAIL PROTECTED]
 Subject: [PHP] PHP: User Authentication Script


 Using Apache / Windows 98 / PHP / mySQL

 The following script is from Julie Meloni's book PHP Essentials
 (PrimaTech) on page 138.

 I've copied the script from her site and tried to run it and get the
 following:

 Internal Server Error
 The server encountered an internal error or misconfiguration and was
unable
 to complete your request.
 Please contact the server administrator, [EMAIL PROTECTED] and inform them of
 the time the error occurred, and anything you might have done that may
have
 caused the error.

 More information about this error may be available in the server error
log.

 --

 Apache/1.3.12 Server at localhost Port 80
 ---

 The following is the script:

 ?

 if (!isset($PHP_AUTH_USER))


 header('WWW-Authenticate: Basic realm=My Private Stuff');
 header('HTTP/1.0 401 Unauthorized');
 echo 'Authorization Required.';
 exit;

 } else


 if (($PHP_AUTH_USER == jane)  ($PHP_AUTH_PW == mypassword))


 echo PYou have entered this username: $PHP_AUTH_USERbr;
 echo You have entered this password: $PHP_AUTH_PWbr;
 echo The authorization type is: $PHP_AUTH_TYPE./p;

 } else


 echo You are not authorized!;

 }

 }

 ?




 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] PHP: User Authentication Script

2002-08-26 Thread Vail, Warren

Was this before supplying the password or after?

I believe this log entry may be normal when authentication fails.

I also believe the message you got on your browser means that the 401 error
page is missing from your apache installation.

http://www.php.net/manual/en/features.http-auth.php also mentions that http
auth does not work when running php as a CGI, which may also give these
symptoms.

Warren Vail
Tools, Metrics  Quality Processes

-Original Message-
From: Anthony Ritter [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 26, 2002 7:27 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] PHP: User Authentication Script


Thanks for the reply Warren.

It says...

[Mon Aug 26 20:46:13 2002] [error] [client 127.0.0.1] malformed header from
script. Bad header=HTTP/1.0 401 Unauthorized: c:/php4/php.exe
...


- Original Message -
From: Vail, Warren [EMAIL PROTECTED]
To: 'Anthony Ritter' [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Monday, August 26, 2002 7:49 PM
Subject: RE: [PHP] PHP: User Authentication Script


 What does your apache server log say?


 Warren Vail
 Tools, Metrics  Quality Processes
 (415) 667-7814
 Pager (877) 774-9891
 215 Fremont 02-658
.

 -Original Message-
 From: Anthony Ritter [mailto:[EMAIL PROTECTED]]
 Sent: Monday, August 26, 2002 6:51 PM
 To: [EMAIL PROTECTED]
 Subject: [PHP] PHP: User Authentication Script


 Using Apache / Windows 98 / PHP / mySQL

 The following script is from Julie Meloni's book PHP Essentials
 (PrimaTech) on page 138.

 I've copied the script from her site and tried to run it and get the
 following:

 Internal Server Error
 The server encountered an internal error or misconfiguration and was
unable
 to complete your request.
 Please contact the server administrator, [EMAIL PROTECTED] and inform them of
 the time the error occurred, and anything you might have done that may
have
 caused the error.

 More information about this error may be available in the server error
log.

 --

 Apache/1.3.12 Server at localhost Port 80
 ---

 The following is the script:

 ?

 if (!isset($PHP_AUTH_USER))


 header('WWW-Authenticate: Basic realm=My Private Stuff');
 header('HTTP/1.0 401 Unauthorized');
 echo 'Authorization Required.';
 exit;

 } else


 if (($PHP_AUTH_USER == jane)  ($PHP_AUTH_PW == mypassword))


 echo PYou have entered this username: $PHP_AUTH_USERbr;
 echo You have entered this password: $PHP_AUTH_PWbr;
 echo The authorization type is: $PHP_AUTH_TYPE./p;

 } else


 echo You are not authorized!;

 }

 }

 ?




Warren Vail [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 What does your apache server log say?


 Warren Vail
 Tools, Metrics  Quality Processes
 (415) 667-7814
 Pager (877) 774-9891
 215 Fremont 02-658


 -Original Message-
 From: Anthony Ritter [mailto:[EMAIL PROTECTED]]
 Sent: Monday, August 26, 2002 6:51 PM
 To: [EMAIL PROTECTED]
 Subject: [PHP] PHP: User Authentication Script


 Using Apache / Windows 98 / PHP / mySQL

 The following script is from Julie Meloni's book PHP Essentials
 (PrimaTech) on page 138.

 I've copied the script from her site and tried to run it and get the
 following:

 Internal Server Error
 The server encountered an internal error or misconfiguration and was
unable
 to complete your request.
 Please contact the server administrator, [EMAIL PROTECTED] and inform them of
 the time the error occurred, and anything you might have done that may
have
 caused the error.

 More information about this error may be available in the server error
log.

 --

 Apache/1.3.12 Server at localhost Port 80
 ---

 The following is the script:

 ?

 if (!isset($PHP_AUTH_USER))


 header('WWW-Authenticate: Basic realm=My Private Stuff');
 header('HTTP/1.0 401 Unauthorized');
 echo 'Authorization Required.';
 exit;

 } else


 if (($PHP_AUTH_USER == jane)  ($PHP_AUTH_PW == mypassword))


 echo PYou have entered this username: $PHP_AUTH_USERbr;
 echo You have entered this password: $PHP_AUTH_PWbr;
 echo The authorization type is: $PHP_AUTH_TYPE./p;

 } else


 echo You are not authorized!;

 }

 }

 ?




 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] PHP: User Authentication Script

2002-08-26 Thread Anthony Ritter

In my
phpinfo()

I get:
php version 4.0.0

Server_APICGI
..

Is this why it is not working?

If so, how does one install PHP as a module?

Please advise.
Thank you.

TR
...

Warren Vail wrote in message:

 http://www.php.net/manual/en/features.http-auth.php also mentions that
http
 auth does not work when running php as a CGI, which may also give these
 symptoms.




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] PHP: User Authentication Script

2002-08-26 Thread Farianto Kurniawan

...hello .. Mr.Anthony Ritter ..

Actually I have faced the same problem with you but right now I can fix it .

What you must do is :
1. Turn off your Apache Web Server
2. Edit your httpd.conf file from folder conf under Apache folder.
3. Please add this sentence  --   LoadModule php4_module
c:/Apache/php/sapi/php4apache.dll   -- in it. (the important thing   that
php4apache.dll is in that directory , if itsn't change it to the right
position.
4. Save it
5. Turn Your Apache Web Server on.

I hope it can work know...

Regards,

Farianto.K
PT.Yosibara Inti Corpora
Phone: 62-21-5267645/46
Indonesia


- Original Message -
From: Anthony Ritter [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 27, 2002 10:01 AM
Subject: Re: [PHP] PHP: User Authentication Script


 In my
 phpinfo()

 I get:
 php version 4.0.0

 Server_APICGI
 ..

 Is this why it is not working?

 If so, how does one install PHP as a module?

 Please advise.
 Thank you.

 TR
 ...

 Warren Vail wrote in message:

  http://www.php.net/manual/en/features.http-auth.php also mentions that
 http
  auth does not work when running php as a CGI, which may also give these
  symptoms.




 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] User Authentication Problem

2002-08-03 Thread Tony Harrison

Hi, I need to authenticate users on an included page on my website, but the
problem is, I cant get it to work.
view it included at http://members.lycos.co.uk/ajohnh/ (Source at
http://members.lycos.co.uk/ajohnh/source/index.txt)
the actual file:
http://members.lycos.co.uk/ajohnh/templates/twoShea/head.php (source at
http://members.lycos.co.uk/ajohnh/source/head.txt)
the location of the script that sets the cookie (I hard-coded the user and
password combo for user ramonezrule into it):
http://members.lycos.co.uk/ajohnh/templates/twoShea/setcookie.php (source
at: http://members.lycos.co.uk/ajohnh/source/setcookie.txt)






-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] User Authentication Problem.

2002-08-02 Thread Tony Harrison

Hi, I need to authenticate users on an included page on my website, but the
problem is, I cant get it to work.
view it included at http://members.lycos.co.uk/ajohnh/ (Source at
http://members.lycos.co.uk/ajohnh/source/index.txt)
the actual file:
http://members.lycos.co.uk/ajohnh/templates/twoShea/head.php (source at
http://members.lycos.co.uk/ajohnh/source/head.txt)
the location of the script that sets the cookie (I hard-coded the user and
password combo for user ramonezrule into it):
http://members.lycos.co.uk/ajohnh/templates/twoShea/setcookie.php (source
at: http://members.lycos.co.uk/ajohnh/source/setcookie.txt)



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] User Authentication

2002-06-04 Thread Jule Slootbeek

Hey guys,

What is the best way for user authentication (now i'm talking about the
most secure and easiest way).
Now i've been using sessions, and i was wondering if cookies were better 
and easier...

any thoughts?
thanks,

Jule
-- 
Jule Slootbeek  
[EMAIL PROTECTED]

http://blindtheory.cjb.net




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] User Authentication

2002-06-04 Thread John Holmes

Sessions use cookies as it is...so what do you really want to do...what
do you want to protect?

---John Holmes...

 -Original Message-
 From: Jule Slootbeek [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, June 04, 2002 9:49 PM
 To: php-general
 Subject: [PHP] User Authentication
 
 Hey guys,
 
 What is the best way for user authentication (now i'm talking about
the
 most secure and easiest way).
 Now i've been using sessions, and i was wondering if cookies were
better
 and easier...
 
 any thoughts?
 thanks,
 
 Jule
 --
 Jule Slootbeek
 [EMAIL PROTECTED]
 
 http://blindtheory.cjb.net
 
 
 
 
 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] User Authentication

2002-06-04 Thread Jarrad Kabral

I wouldnt rely on cookies or standard sessions (which use cookies) as a
means of security.

You can use sessions, but make sure you have the

ini_alter(session.use_cookies, 0);

so that no cookies are used for the session id. This means you'll have to
pass the session id in the querystring or post of each page.


Regards
Jarrad Kabral


-Original Message-
From: John Holmes [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 5 June 2002 11:48 AM
To: [EMAIL PROTECTED]; 'php-general'
Subject: RE: [PHP] User Authentication


Sessions use cookies as it is...so what do you really want to do...what
do you want to protect?

---John Holmes...

 -Original Message-
 From: Jule Slootbeek [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, June 04, 2002 9:49 PM
 To: php-general
 Subject: [PHP] User Authentication
 
 Hey guys,
 
 What is the best way for user authentication (now i'm talking about
the
 most secure and easiest way).
 Now i've been using sessions, and i was wondering if cookies were
better
 and easier...
 
 any thoughts?
 thanks,
 
 Jule
 --
 Jule Slootbeek
 [EMAIL PROTECTED]
 
 http://blindtheory.cjb.net
 
 
 
 
 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] User Authentication

2002-06-04 Thread Jule Slootbeek

John Holmes wrote:
 Sessions use cookies as it is...so what do you really want to do...what
 do you want to protect?
 
 ---John Holmes...
 
 

Oh ok, that explains it then...
Well thanks for the info anyway. I was basically just wondering which 
method was reccommended..

Jule

-- 
Jule Slootbeek  
[EMAIL PROTECTED] 

http://blindtheory.cjb.net 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] User Authentication

2002-06-04 Thread Analysis Solutions

Hi Jule:

On Tue, Jun 04, 2002 at 09:48:36PM -0400, Jule Slootbeek wrote:
 
 What is the best way for user authentication (now i'm talking about the
 most secure and easiest way).
 Now i've been using sessions, and i was wondering if cookies were better 
 and easier...

Regardless of what you do, I strongly suggest not using cookies.  Not 
everyone accepts them.  I accept them for a very limited number of 
sites (like my bank).  The rest can drop dead.

The remaining options are URL query strings and HTTP Authentication.

Enjoy,

--Dan

-- 
   PHP classes that make web design easier
SQL Solution  |   Layout Solution   |  Form Solution
sqlsolution.info  | layoutsolution.info |  formsolution.info
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] User Authentication

2002-06-04 Thread Jason Wong

On Wednesday 05 June 2002 10:05, Analysis  Solutions wrote:
 Hi Jule:

 On Tue, Jun 04, 2002 at 09:48:36PM -0400, Jule Slootbeek wrote:
  What is the best way for user authentication (now i'm talking about the
  most secure and easiest way).
  Now i've been using sessions, and i was wondering if cookies were better
  and easier...

 Regardless of what you do, I strongly suggest not using cookies.  Not
 everyone accepts them.  I accept them for a very limited number of
 sites (like my bank).  The rest can drop dead.

I disagree. If your site has compelling enough content that encouraged the 
user to register in the first place then I'm pretty sure they won't mind a 
cookie or two. Just make sure you don't store any sensitive info in the 
cookie.

-- 
Jason Wong - Gremlins Associates - www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *

/*
Your reasoning is . (fill in the blank)

- Russell King on the linux-arm mailing list
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] User Authentication

2002-03-29 Thread Omland Christopher m

Hi, I had a question on user authentication/member accounts.
I have built a MySQL database with users and passwords, and I wrote this
code:
html
headtitleLOGIN IN PROGRESS/title/head
?php

mysql_connect(HOST, USER, PASS);
mysql_select_db(DB);

body bgcolor = white
h2PLEASE LOG IN/h2

form method=post action=?echo $PHP_SELF?
table cellpadding=2 cellspacing=0 border=0
tdUsername:/tdtdinput type=text name=User size=10/tdtr
tdPassword:/tdtdinput type=password name=Pass size=10/tdtr
tdnbsp;/tdtdinput type=submit name=submit value=Log In/td
/table/form
?php
if ($submit) {
$result=mysql_query(select * from Users where User='$User') or die
(cant do it);
while ($row=mysql_fetch_array($result)) {
if ($row[Pass]==$Pass) {
printf(Successfully Logged In!a href=\about.php\Click Here/a);

}

So this will work it regonizes a real user vs. a fake on I do. But I don't
understand whats to stop someone from directly linking to a protected
page? For example why couldn't someone just go directly to
./about.php.

Does this make sense? Should I have the login form in one file and the php
script in another? Do I need to check the http header somehow to see if
they have logged in?
Thanks.
-Chris


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] User Authentication

2002-03-29 Thread Jason Wong

On Saturday 30 March 2002 02:24, Omland Christopher m wrote:
 So this will work it regonizes a real user vs. a fake on I do. But I don't
 understand whats to stop someone from directly linking to a protected
 page? For example why couldn't someone just go directly to
 ./about.php.

You're right there's absolutely nothing to stop them from doing that.

 Does this make sense? Should I have the login form in one file and the php
 script in another? Do I need to check the http header somehow to see if
 they have logged in?

The usual way to do login is that after authentication you send the user a 
cookie. On the subsequent pages that you want to protect you check for the 
presence of a valid cookie. If one is present you let them view the page, 
otherwise redirect them to a login page or something.



-- 
Jason Wong - Gremlins Associates - www.gremlins.com.hk

/*
The only way I can lose this election is if I'm caught in bed with a dead 
girl or a live boy.
-- Louisiana governor Edwin Edwards
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] User Authentication

2002-03-29 Thread Vail, Warren

To solve this problem, I store some variables in a session, and at the
beginning of each page that needs to be secure in my site, I check to see if
the session variable is set (usually $userid), if not I redirect the user
back to the logon page.  At least two things will cause the variable to be
missing, a direct reference to the page using the URL, and the session
having expired.

I also make it a practice of coding a page as two separate php files, the
first of which performs the test above and retrieves information and
presents it on the web page (this is my presentation layer).  The second php
program that is referenced as the as the Action of my form or as a href from
an anchor on the form when data is not to be submitted.  This second php
program may test again for my session variable, but it does only processing
(storing data in the database, etc), then does a redirect header(Location:
page.php), some of redirections will take it back to the page in file one,
other redirections will take it to other pages.

The reason for this dual program style, is that it avoids the problem with
using the POST method of form processing and pressing the back button on the
browser (IE and Netscape both issue an error).  Because every one of the
pages presented in my application are redirected to, they are entered by a
GET by default and the back button works fine.  The second process only
program can pass variables to the next form either as GET parameters
appended to the URL, or as a session variable.  A redirect cannot cause a
form to be entered with a POST method that I am aware of.

hope this helps,

Warren Vail
Tools, Metrics  Quality Processes
(415) 667-7814
Pager (877) 774-9891
215 Fremont 02-658


-Original Message-
From: Omland Christopher m [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 29, 2002 10:25 AM
To: Rouvas Stathis
Cc: Kevin Stone; 'Justin French'; 'php'
Subject: [PHP] User Authentication


Hi, I had a question on user authentication/member accounts.
I have built a MySQL database with users and passwords, and I wrote this
code:
html
headtitleLOGIN IN PROGRESS/title/head
?php

mysql_connect(HOST, USER, PASS);
mysql_select_db(DB);

body bgcolor = white
h2PLEASE LOG IN/h2

form method=post action=?echo $PHP_SELF?
table cellpadding=2 cellspacing=0 border=0
tdUsername:/tdtdinput type=text name=User size=10/tdtr
tdPassword:/tdtdinput type=password name=Pass size=10/tdtr
tdnbsp;/tdtdinput type=submit name=submit value=Log In/td
/table/form
?php
if ($submit) {
$result=mysql_query(select * from Users where User='$User') or die
(cant do it);
while ($row=mysql_fetch_array($result)) {
if ($row[Pass]==$Pass) {
printf(Successfully Logged In!a href=\about.php\Click Here/a);

}

So this will work it regonizes a real user vs. a fake on I do. But I don't
understand whats to stop someone from directly linking to a protected
page? For example why couldn't someone just go directly to
./about.php.

Does this make sense? Should I have the login form in one file and the php
script in another? Do I need to check the http header somehow to see if
they have logged in?
Thanks.
-Chris


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] User Authentication

2001-12-17 Thread Paul Burney

on 12/16/01 12:58 PM, Daniel Grace at [EMAIL PROTECTED] wrote:

 Anyways, though the 401 part works and actually brings up the typical Enter
 Username/Password box, $PHP_AUTH_USER and $PHP_AUTH_PW are not being set.
 There are no .htaccess files in the directory (or any parent dirs for that
 matter), and no AuthType directives all in my httpd.conf file. I have been
 unsuccessful in determining what is wrong, and am flat out of ideas.

My guess would be that register_globals is off.  If I recall correctly,
$PHP_AUTH_USER and $PHP_AUTH_PW need register_globals on to work like you
want them to.

Check phpinfo() to see if another variable, maybe one in the new arrays,
will give them to you.  If not, you can look for the Authorize Header and
then manually parse out the User and PW information.

Paul

?php
/* Happy Holidays */
mysql_select_db('North_Pole');
mysql_query('SELECT reindeer FROM stable WHERE nose_color=red');
?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] User Authentication

2001-12-17 Thread Daniel Grace

Paul Burney [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 on 12/16/01 12:58 PM, Daniel Grace at [EMAIL PROTECTED] wrote:

  Anyways, though the 401 part works and actually brings up the typical
Enter
  Username/Password box, $PHP_AUTH_USER and $PHP_AUTH_PW are not being
set.
  There are no .htaccess files in the directory (or any parent dirs for
that
  matter), and no AuthType directives all in my httpd.conf file. I have
been
  unsuccessful in determining what is wrong, and am flat out of ideas.

 My guess would be that register_globals is off.  If I recall correctly,
 $PHP_AUTH_USER and $PHP_AUTH_PW need register_globals on to work like you
 want them to.

 Check phpinfo() to see if another variable, maybe one in the new arrays,
 will give them to you.  If not, you can look for the Authorize Header and
 then manually parse out the User and PW information.

 Paul

 ?php
 /* Happy Holidays */
 mysql_select_db('North_Pole');
 mysql_query('SELECT reindeer FROM stable WHERE nose_color=red');
 ?



Bah, my test page displayed a phpinfo() and I never noticed this... For some
reason

You were correct. $PHP_AUTH_USER and $PHP_AUTH_PW reside in _$SERVER under
PHP 4.1.0 (and thus presumably $HTTP_SERVER_VARS under PHP 4.0.6)

This means I can actually get back to making progress on my site...

-- Daniel Grace
Warning:  Undefined variable:  signature in email.php on line 35



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] User Authentication

2001-12-16 Thread Daniel Grace

Hello,

I'm working on a website for what will eventually be free
PHP/MySQL/Apache/DNS/etc hosting (see: http://hosting.venura.net , no
requests for accounts will be entertained right now), and am having problems
trying to get HTTP Authentication working. I had it working a month or so
ago, but then I put the project on hold for awhile and came back to a mess
that wasn't -- don't know how unless I somehow broke it just before I quit
working on it.

Anyways, I'm running PHP 4.1.0 (had same problems with 4.0.6 earlier so I
know it's not some weird bug with the new version), Apache 1.3.22+mod_ssl
and Linux 2.4. I'm working (for now) with a small test script containing
this (and running on SSL, which I had no problems with earlier.)

---
?php

header(HTTP/1.0 401 Unauthorized);
header(WWW-Authenticate: Basic realm=\hosting.venura.net Member Services
U:
. $PHP_AUTH_USER
. , P:
. $PHP_AUTH_PW
. \
);

?
html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en lang=en
head
title[secure]venura.net :: Unauthorized/title
/head
body
?php phpinfo(); ?
/body
/html
---

The idea being that I can see the username/password entered in the
authentication box itself.

Anyways, though the 401 part works and actually brings up the typical Enter
Username/Password box, $PHP_AUTH_USER and $PHP_AUTH_PW are not being set.
There are no .htaccess files in the directory (or any parent dirs for that
matter), and no AuthType directives all in my httpd.conf file. I have been
unsuccessful in determining what is wrong, and am flat out of ideas.

My php.ini and httpd.conf files are available at
http://hosting.venura.net/fixme/

Any ideas?

-- Daniel Grace



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] User Authentication

2001-11-13 Thread Damien Burke

Hi,

Can anyone recommend a good place on the web to learn about user
authentication.
I want users of my site to login with a username  password - once they are
logged in they can see information customised to each separate user.
Without being logged in the won't see any valuable information.
Especially issues dealing with hackers.

Thanks,
Damien



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] User Authentication

2001-11-13 Thread Chris Hobbs

http://www.google.com/search?q=php+mysql+user+authenticationbtnG=Google+Search

First hit's a winner :)

Damien Burke wrote:

 Hi,
 
 Can anyone recommend a good place on the web to learn about user
 authentication.
 I want users of my site to login with a username  password - once they are
 logged in they can see information customised to each separate user.
 Without being logged in the won't see any valuable information.
 Especially issues dealing with hackers.
 
 Thanks,
 Damien
 
 
 
 


-- 
___  ____    _
Chris Hobbs   / \ \/ / |  | |/ ___\|  __ \
Head Geek| (___  \ \  / /| |  | | (___ | |  | |
WebMaster \___ \  \ \/ / | |  | |\___ \| |  | |
PostMaster) |  \  /  | |__| |) | |__| |
   \/\/\/ \/|_/
   http://www.silvervalley.k12.ca.us
   [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] User Authentication

2001-11-13 Thread Matt Schroebel

Caveat: Don't forget to escape user input before sending to SQL.  Those samples leave 
that part to your imagination.  Bad guys might take advantage of that :)
 
 http://www.google.com/search?q=php+mysql+user+authenticationb
tnG=Google+Search
 
 First hit's a winner :)
 
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] User authentication problem.

2001-11-11 Thread CaMeL

I found a lot of scripts which regarding this user authentication.
But most of them are using mysql for their userlist 

What if I got a server which have users in it, and I want to reuse the
same list of users and password in the server.

What should I do ?

Thankyou


Jian An


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] User authentication?

2001-11-04 Thread Daniel Alsén

Hi,

do aonyone know of any comprehensive tutorial for user authentication
session managment with php4 sessions and mysql? Preferably with some sort of
code examples?

I have tried searching the larger code libraries but haven´t found anything
that suits me (the ones i actually got interested in was dead links).

Regards
# Daniel Alsén| www.mindbash.com #
# [EMAIL PROTECTED]  | +46 704 86 14 92 #
# ICQ: 63006462   |  #


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] User Authentication against remote authentication serve r [ LDAP ]

2001-10-31 Thread Stig Venaas

On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote:
 Thanks for the link, Kurt. Can you also point to any authentication code
 examples, or further discussion? The user comments in the manual suggest
 there are at least a couple ways to code stuff, ldap_compare vs ldap_bind.
 Any additional help appreciated.

I might be able to help if you have some more precise questions, but
basically there are two ways LDAP can be used. You can either use it
as a data store or you can have LDAP make the authentication decision
for you. If you want the user to supply username and password, the
authentication can be done as follows:

As data store:

Hopefully the passwords are stored encrypted. Then there are two ways.
If the password is stored encrypted with some unknown salt where the
salt is stored together with the password (like the traditional UNIX
way), your PHP script retrieves the encrypted password from LDAP,
checks the salt, encrypts the user supplied password using the salt,
and compare the two. If you don't use a salt you can encrypt the
password from the user and just do an ldap_compare to check that it's
the same as in the LDAP server. You get better security by not allowing
people to read the encrypted passwords from LDAP. To store passwords
encrypted in LDAP, SHA1 might be a good choice, PHP has this.

As decision maker:

You can simply bind to the server on behalf of the user, you use the
user supplied username and password as arguments to ldap_bind(). If
the bind succeeds, you let the user access your stuff. In this case
you should consider using SSL/TLS for talking to the server.

There are other ways to authenticate with LDAP, RFC 2829 gives a good
overview. You can find it at for instance
http://www.ietf.org/rfc/rfc2829.txt

I could go into more detail, but to write a complete general overview
would be a lot of work. You might also have a look at a really short
presentation I've made at
http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf

Stig

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] User Authentication against remote authentication serve r [ LDAP ]

2001-10-31 Thread Johnson, Kirk

Thanks very much, Stig, very helpful! We are just scouting the technology
right now, so my more precise questions will come later ;) We will be using
SSL. Given that, it looks to me like decision maker mode is the way to go?

Kirk

 -Original Message-
 From: Stig Venaas [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, October 31, 2001 3:06 AM
 To: Johnson, Kirk
 Cc: PHP General List
 Subject: Re: [PHP] User Authentication against remote authentication
 serve r [ LDAP ]
 
 
 On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote:
  Thanks for the link, Kurt. Can you also point to any 
 authentication code
  examples, or further discussion? The user comments in the 
 manual suggest
  there are at least a couple ways to code stuff, 
 ldap_compare vs ldap_bind.
  Any additional help appreciated.
 
 I might be able to help if you have some more precise questions, but
 basically there are two ways LDAP can be used. You can either use it
 as a data store or you can have LDAP make the authentication decision
 for you. If you want the user to supply username and password, the
 authentication can be done as follows:
 
 As data store:
 
 Hopefully the passwords are stored encrypted. Then there are two ways.
 If the password is stored encrypted with some unknown salt where the
 salt is stored together with the password (like the traditional UNIX
 way), your PHP script retrieves the encrypted password from LDAP,
 checks the salt, encrypts the user supplied password using the salt,
 and compare the two. If you don't use a salt you can encrypt the
 password from the user and just do an ldap_compare to check that it's
 the same as in the LDAP server. You get better security by 
 not allowing
 people to read the encrypted passwords from LDAP. To store passwords
 encrypted in LDAP, SHA1 might be a good choice, PHP has this.
 
 As decision maker:
 
 You can simply bind to the server on behalf of the user, you use the
 user supplied username and password as arguments to ldap_bind(). If
 the bind succeeds, you let the user access your stuff. In this case
 you should consider using SSL/TLS for talking to the server.
 
 There are other ways to authenticate with LDAP, RFC 2829 gives a good
 overview. You can find it at for instance
 http://www.ietf.org/rfc/rfc2829.txt
 
 I could go into more detail, but to write a complete general overview
 would be a lot of work. You might also have a look at a really short
 presentation I've made at
 http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf
 
 Stig
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] User Authentication against remote authentication server

2001-10-29 Thread Zhu George-CZZ010


   sorry, this might be a little bit off the topic, but I really hope you could help 
anwering this question.

   It's pretty clear how to use web server to authenticate the users/groups, for 
example, if we are using Apache, the userID and password will be stored in the 
browser's cache, and be sent  to the web server to do the authentiation whenenver a 
page is requested.

   However, if the authentication server is not the web server, instead, it is a 
remote independent server. How can we manage the user authentications at the web 
server side?

   Thank you very much in advance!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] User Authentication against remote authentication server

2001-10-29 Thread Frewuill Rodriguez

may be you can write a  script (perl/php/*) which try to check/log/whatever
on the remote user sending a login/password, so if it returns ok yo can use
it to deny/allow the access to your local webserver.. it's like a kind of
authentication proxy



- Original Message -
From: Zhu George-CZZ010 [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 29, 2001 4:39 PM
Subject: [PHP] User Authentication against remote authentication server



sorry, this might be a little bit off the topic, but I really hope you
could help anwering this question.

It's pretty clear how to use web server to authenticate the
users/groups, for example, if we are using Apache, the userID and password
will be stored in the browser's cache, and be sent  to the web server to do
the authentiation whenenver a page is requested.

However, if the authentication server is not the web server, instead,
it is a remote independent server. How can we manage the user
authentications at the web server side?

Thank you very much in advance!

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] User Authentication against remote authentication server

2001-10-29 Thread Kurt Lieber

 However, if the authentication server is not the web server, instead,
 it is a remote independent server. How can we manage the user
 authentications at the web server side?

Use LDAP.  

http://www.php.net/manual/en/ref.ldap.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] User Authentication against remote authentication server [ LDAP ]

2001-10-29 Thread Johnson, Kirk

Thanks for the link, Kurt. Can you also point to any authentication code
examples, or further discussion? The user comments in the manual suggest
there are at least a couple ways to code stuff, ldap_compare vs ldap_bind.
Any additional help appreciated.

TIA

Kirk

 -Original Message-
 From: Kurt Lieber [mailto:[EMAIL PROTECTED]]
 Sent: Monday, October 29, 2001 3:58 PM
 To: PHP General List
 Subject: Re: [PHP] User Authentication against remote authentication
 server [ LDAP ]
 
 
  However, if the authentication server is not the web 
 server, instead,
  it is a remote independent server. How can we manage the user
  authentications at the web server side?
 
 Use LDAP.  
 
 http://www.php.net/manual/en/ref.ldap.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] User Authentication / only 1 login per user at any time

2001-09-10 Thread Lewi Hirvela

Hi, 

With most of my scripts, when I am about to write something, I have it in my
head on how to do it exactly.. But with only 1 login per user at anytime, I
havent found any good ways to do it,

All I can think of is to set a mysql field called ³logged_in² to ³1² or ³0²
if logged in or not, but the problem with that is if you close the browser ,
it will stay ³logged_in=1²  ,

Is the way around that problem to do some sort of timeout code that checks
all ³logged_in² in the whole table and also a field where it logged the last
time the user accesses a page, to see if the user has accessed a page within
20 minutes .. Or is there a better way to do it?
Thanks,
Lewi



Re: [PHP] User Authentication / only 1 login per user at any time

2001-09-10 Thread Michael Kimsal

Hi there:

We have this functionality built into our core framework
with our custom session handling.  The basic premise is that you don't 
store a
1/0 in a 'logged in' flag, but store the session key with the username.  

When someone logs in, assign their session key to that username.  The
previous session key associated with that username will be overwritten,
and that user will no longer be able to do anything, because they have
no data associated with their session.


To do it like this, you'd need to come up with your own mechanism for 
deciding
if someone was no longer valid - we tie that to session data.  No 
session data,
no access.  

If I log in with your username, you are guaranteed to be 'kicked off'.  


Hope that helps...

Lewi Hirvela wrote:

Hi, 

With most of my scripts, when I am about to write something, I have it in my
head on how to do it exactly.. But with only 1 login per user at anytime, I
havent found any good ways to do it,

All I can think of is to set a mysql field called ³logged_in² to ³1² or ³0²
if logged in or not, but the problem with that is if you close the browser ,
it will stay ³logged_in=1²  ,

Is the way around that problem to do some sort of timeout code that checks
all ³logged_in² in the whole table and also a field where it logged the last
time the user accesses a page, to see if the user has accessed a page within
20 minutes .. Or is there a better way to do it?
Thanks,
Lewi 



Michael Kimsal
http://www.tapinternet.com/php
PHP Training Courses
734-480-9961


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] User authentication

2001-08-09 Thread De Bodemschat - Geologisch Verzendhuis

Hello,

I set up a user-auth script that checks $PHP_AUTH_USER  $PHP_AUTH_PW
against a db with login/pwd information, but on the server my site is hosted
this doens't work because PHP runns as cgi.


How do I do this with PHP running as a cgi?

Thanks in advance.
Regards

Bart


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] User Authentication

2001-07-03 Thread Jason Rennie

Hi all,

Is there a way in php4 to authenticate a user against the system
passwords?

I have to write a php program to handle student assignment submissions.

These users need to authenticated against an winnt PDC.

Samba has a package called winbind that will let me map the pdc's
usernames and groups onto the unix ones, with the help of pam.

Now i then need to access those throught (i assume) the unix getpwent and
getgrent commands, so that winbind will be used as the service to lookup
the names and passwords.

Is this functionality available in php ?

If not, anybody got any pointers on how to go about writing a wrapper for
php for this ??

Jason



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] user authentication

2001-05-09 Thread Jerry Lake

Does anyone know of a good user authentication/sessions
tutorial for php 4? I've looked through the ones at phpbuilder
and they are not quite as in-depth as I would like.

Jerry Lake- [EMAIL PROTECTED]
Interface Engineering Technician
Europa Communications - http://www.europa.com
Pacifier Online - http://www.pacifier.com



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] user authentication

2001-05-09 Thread Philip Olson

try :

  http://www.zend.com/zend/tut/authentication.php

regards,
philip


On Wed, 9 May 2001, Jerry Lake wrote:

 Does anyone know of a good user authentication/sessions
 tutorial for php 4? I've looked through the ones at phpbuilder
 and they are not quite as in-depth as I would like.
 
 Jerry Lake- [EMAIL PROTECTED]
 Interface Engineering Technician
 Europa Communications - http://www.europa.com
 Pacifier Online   - http://www.pacifier.com
 
 
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]
 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] User Authentication

2001-02-27 Thread Krznaric Michael

Try this, it works for me.

Mike

if(!isset($PHP_AUTH_USER)) {
Header("WWW-Authenticate: Basic realm=\"User Database\"");
Header("HTTP/1.0 401 Unauthorized");
echo "H1ERROR/H1You must enter a correct username and password
in order to proceed\n";
exit;
} 
else {

if ($PHP_AUTH_USER=="admin"  $PHP_AUTH_PW=="love2change"){
print "You are successfully authenticated";
}
else {
Header("WWW-Authenticate: Basic realm=\"User Database\"");
Header("HTTP/1.0 401 Unauthorized");
echo "You did not supply proper credentials and are therefore denied
login\n";
exit;
}
}
?


-Original Message-
From: Amer Alhabsi [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 27, 2001 1:42 AM
To: [EMAIL PROTECTED]
Subject: [PHP] User Authentication


Hi,

I'm trying to use an authentication method I found in a  tutorial in the
net. The server prompts for username/password. But if I enter the hard coded
values (or any other values) the server rejects them with a message
authorization failed.

I use PHP 4 as a module on IIS

Thanks very much for any help,


here is the program I got from the tutorial.


?php

if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))
 || ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) )


header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else


echo 'Success!';

}
?





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



[PHP] User Authentication

2001-02-26 Thread Amer Alhabsi

Hi,

I'm trying to use an authentication method I found in a  tutorial in the
net. The server prompts for username/password. But if I enter the hard coded
values (or any other values) the server rejects them with a message
authorization failed.

I use PHP 4 as a module on IIS

Thanks very much for any help,


here is the program I got from the tutorial.


?php

if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))
 || ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) )


header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else


echo 'Success!';

}
?





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]