Re: [PHP] user auth
On Thu, 30 May 2002, Justin Blake wrote: > I will soon be developing a user authentication system with different > access levels. I will need to check the users against a mysql database. > How secure is checking for a session var, and then redirecting with > header('Location:...') ? Is there a way to get around this method of > protection? That's the worst security scheme I've ever heard of. Anyone can just look at where the redirect points to and go there. You should keep the session active throughout your secured area and check against a session variable at the top of each page. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] user auth
On Thu, May 30, 2002 at 11:46:29PM -0400, Justin Blake wrote: > I will soon be developing a user authentication system with different > access levels. I will need to check the users against a mysql > database. How secure is checking for a session var, and then > redirecting with header('Location:...') ? Is there a way to get around > this method of protection? I'm no expert on this but I don't think session in PHP them selves have any security embedded in it by them selves, you could just try to do a bruteforce attack on sessionIDs (good luck :). But what you yourself could do is keep track of eg. the IP adress of the user and check if it doesn't change... if it does then maybe someone is trying something fishy. -- Daniel Tryba -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] user auth.. with mysql and cookies.. help
It's basically saying that you are outputing stuff to the browser before you are setting the cookies which is a no go. All header requests (header() & setcookie()) must be run before any text is outputted. Thus, the most common error is that after or before your php tags is empty space, which to PHP is considered outputted text and you wont be able to set any headers. Other than that you might be setting cookies after you have echo'd templates or some such. - James -- W: www.londontown.com @: [EMAIL PROTECTED] -- -Original Message- From: Anton Heryanto [mailto:[EMAIL PROTECTED]] Sent: 30 May 2002 11:44 To: [EMAIL PROTECTED] Subject: [PHP] user auth.. with mysql and cookies.. help sorry, bother all of you with my same question i was learn to make user auth with mysql and using cookies, i have trouble with this error message; Warning: Cannot add header information - headers already sent by (output started at ../functions.inc:54) in ../functions.inc on line 49 Warning: Cannot add header information - headers already sent by (output started at ../functions.inc:54) in ../functions.inc on line 50 Warning: Cannot add header information - headers already sent by (output started at ../functions.inc:54) in ../functions.inc on line 51 Warning: Cannot add header information - headers already sent by (output started at ../functions.inc:54) in ../login.php on line 12 in this case i use 4 file .. 1)index.html -- sending data (methode post to login.php); 2)login.php 3)function.inc -- all the function i use 4)common.inc -- global variable; 2...login.php. http://$http_host/$docroot/report.php";); exit(); } else{ header("Location:http://$http_host/$docroot/error1.htm";); exit(); } 3.function.inc %s\n",$message); } function authenticateUser($user, $password) { global $host, $httphost, $user_db, $password_db, $db, $docroot; if (! ($link = mysql_pconnect($host, $user_db, $password_db))) { DisplayErrMsg(sprintf("internal Error %d: %s \n", mysql_errno(), mysql_error() )); DisplayErrMsg(sprintf("internal Error %s %s %s %d: %s \n", $host, $user, $password, mysql_errno(), mysql_error() )); return 0; } if (! ($result = mysql_db_query("$db","select * from user_login where userid = '$user'"))) { DisplayErrMsg(sprintf("internal Error %d: %s \n", mysql_errno(), mysql_error() )); return 0 ; } if (($row = mysql_fetch_array($result)) && ($password==$row["password"] && $password != "")) return 1; else return 0; } function deleteCookies() { for ($i=0; $i<$total_items; $i++) { setcookie("items_tray[$i]",""); setcookie("quantity[$i]",""); } setcookie("items_tray",""); setcookie("total_items",""); setcookie("quantity",""); } ?> and 4. common.inc ~ could you tell me what and where is the mistake ... thank for all of you all kindness regards anton --Linux is Power--- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] user auth script update.
never mind Matt, I noticed the missin ); on line 65 Thanks for your help. Matt. -Original Message- From: Matt [mailto:[EMAIL PROTECTED]] Sent: 16 February 2002 12:05 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] user auth script update. > I am now getting the parse error on line 64 > $sql_authorisation = "SELECT * FROM account_details WHERE > account_name='$login_username' AND > account_password=PASSWORD('$login_password'); You're missing the closing " on the last line above. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] user auth script update.
> I am now getting the parse error on line 64 > $sql_authorisation = "SELECT * FROM account_details WHERE > account_name='$login_username' AND > account_password=PASSWORD('$login_password'); You're missing the closing " on the last line above. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] user auth
On Friday 14 September 2001 17:01, you wrote: if you want to work with the passwords that originally are in the shadow-file your webserver needs to have read-permissions for the shadow-file, which is no good idea. you could parse out the passwords from the shadow-file and write them into an extra password-file only readable for the webserver, which is no good idea neither. Or you could use a patched pam-modul which checks the passwords for you, which is the best solution i can think of. But if you want to do a webmail, you actually don't need to check the password. Your imap/pop-server will do that for you. BTW: There already are lots of webmails in php, just check nocc.sourceforge.net for example and there are many others. > Hello all! I a relatively newbie in PHP, so my question may appear silly: > > Please tell me if anyone has knowledge of > authenticating a user based on his username and password > from Linux system (shadow or anything). > I want to make a php WebMail. Also, i want to make > a ssh virtual web client for the registered user. > > Any help would be appreciated. > Thanks, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]