Development Tutorials
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
 
User Name:
Password:
Remember me
 



Go Back   Dev Articles Community ForumsCommunityDevelopment Tutorials

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Display Modes
 
Unread Dev Articles Community Forums Sponsor:
  #1  
Old August 22nd, 2003, 10:56 PM
maxnix maxnix is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 3 maxnix User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Sessions?

I'm going to state the obvious here....

Why confuse readers about the use of sessions? More to the point, why emulate PHP sessions to begin with?

Nothing wrong with the attempt, but it's seems odd that you would write an article that "reinvents the wheel" ;-)

Also, in your code...

$sQuery = "
Select ...";

$hResult = mysql_query($sQuery, $hDB);
if(mysql_affected_rows($hDB)) {
...
}

From the PHP manual...

mysql_affected_rows() does not work with SELECT statements; only on statements which modify records. To retrieve the number of rows returned by a SELECT, use mysql_num_rows().

Thanks,
Max.

Reply With Quote
  #2  
Old August 23rd, 2003, 09:29 AM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Max:

Thanks for your feedback. I always appreciate the "obvious" points of view because it is usually that which drives me to write such scripts (Oh yeah, thanks for pointing out the typos and such, I think I wrote this from memory)

The original rationale for writing this was to avoid using PHP's built in sessions? Why? Several reasons:

(1) I was "raised" programming in ASP and I despised ASP session handling so naturally I have a distrust of all built-in session handling.

(2) Because I was lazy when I compiled PHP and left out sessions (that was a long time ago and I have yet to recompile). This is a stupid reason, I admit.

(3) Simply as a excersise of an alternative means to handle your own sessions. You have complete control at this point and do not depend on the O/S or PHP engine for the sessions. For example, PHP sessions have to put your data somewhere and that somewhere is on the filesystem (usually in a temp dir like /tmp). I, personally, like to have mroe control than that. My reasons may be unfounded (PHP sessions work quite well, actually) but I am nuts like that.

Again, thanks for the correction on the mysql_affected_rows().

Jason

Reply With Quote
  #3  
Old August 24th, 2003, 10:02 AM
maxnix maxnix is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 3 maxnix User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Sessions?

>>(1) I was "raised" programming in ASP and I despised ASP session handling so naturally I have a distrust of all built-in session handling.<<

Ah...a converted ASP coder! All is forgiven ;-)

Thanks,
Max

Reply With Quote
  #4  
Old August 24th, 2003, 09:36 PM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
I am forced into "ASP" labor by the corporate giant. My heart belongs to all things Unix(like), C and PHP.

Reply With Quote
  #5  
Old August 24th, 2003, 11:05 PM
maxnix maxnix is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 3 maxnix User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Sessions?

I understand completely. I still occasionally dabble with VB/VBA projects at work because I have to (MS Office you know...), but nothing anymore for production work. Sadly, traditional VB is now dead as far as I can tell.

Nothing wrong with ASP per se, I almost took that plunge myself when *we* were converting at work from PC-based to Web-based programs.

Alas, I was fortunate enough to steer my company away from being assimiliated into the Borg (.Net), and am now pretty much a PHP/MySQL freak. ;-)

Thanks,
Max

Reply With Quote
  #6  
Old August 27th, 2003, 03:00 PM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Just as a final clarification of the typo Max found. You should change :

mysql_affected_rows($hDB)

to

mysql_num_rows($hResult)


Thanks for understanding

Reply With Quote
  #7  
Old August 30th, 2003, 06:54 AM
neutcomp neutcomp is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Sep 2002
Location: The Netherlands
Posts: 24 neutcomp User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 m 15 sec
Reputation Power: 0
Question

Is the comment allready fixed in the article?

I think you should also check if the connection with the database is working, if not display this.

Cya
Bjorn

Reply With Quote
  #8  
Old August 30th, 2003, 09:26 AM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Thanks for the reply. I do not have the ability to fix the article itself so I'll leave that up to the site operators (I do not think it is already changed).

There are many improvements to this script and one of them is better error checking. I leave most of the "un-fun" stuff up as an "exercise" to the reader so that the point I am making with the article is clearer. Of course, that means I am spreading evil coding practices to those that do not take the time to improve the script.

I'd like to see lots of suggestions for this exercise so that would be readers can see all the different things one can do.

Reply With Quote
  #9  
Old September 2nd, 2003, 05:47 PM
icetea1980 icetea1980 is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Sep 2003
Posts: 1 icetea1980 User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Send a message via ICQ to icetea1980 Send a message via Yahoo to icetea1980
Lend an eye please?

I am a newbie......unfortunately.....

I liked this article..........in fact...I have read over and over for dozens of times.......

but I still could figure out the problem with the script I modified...

Everything seems to work fine. When an unauthorized entry is inputted it refers back to login.php, However, when an authorized user logs in, it doesn't refer to the page I want it to....
Did I miss something?..... Can u lend me an eye to see what seems to be the block?

the LoginAction.php:

<?php
// Check if the information has been filled in
if($psEmail == '' || $psPassword == '') {
// No login information
header('Location: URL'.urlencode($psRefer));
} else {
// Authenticate user
$hDB = mysql_connect('localhost', 'XXXX', 'XXXXXXXX');
mysql_select_db('abna_ca', $hDB);
$sQuery = "
Select iUser, MD5(UNIX_TIMESTAMP() + iUser + RAND(UNIX_TIMESTAMP())) sGUID
From tblUsers
Where sEmail = '$psEmail'
And sPassword = password('$psPassword')";
$hResult = mysql_query($sQuery, $hDB);
if(mysql_num_rows($hResult)) {
$aResult = mysql_fetch_row($hResult);
// Update the user record
$sQuery = "
Update tblUsers
Set sGUID = '$aResult[1]'
Where iUser = $aResult[0]";
mysql_query($sQuery, $hDB);
// Set the cookie and redirect
setcookie("session_id", $aResult[1]);
if(!$psRefer) $psRefer = 'http://www.abna/moreinfo/contact.html';
header('Location: URL'.$psRefer);
} else {
// Not authenticated
header('Location: login.php?refer='.urlencode($psRefer));
}
}
?>

Obviously the database is connected cuz it can tell from wether a user is authorzied or not, just can't seem to get the page refered to afterwards.....

Reply With Quote
  #10  
Old September 6th, 2003, 09:10 PM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Just a quick once through (I just got back from vacation, I'll give it a better look later). It looks as if some of the URLs are invalid (missing the .ca). Let me know if that has anything to do with it.

Jason

Reply With Quote
  #11  
Old September 16th, 2003, 02:38 PM
CKen CKen is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Sep 2003
Posts: 1 CKen User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Got trouble too

Hello,

Like icetea above, Im also a newbie and Im also having trouble getting this to work. I really liked the article and it suits a particular need I have, perfectly - so I'd really love to make it work.

I did a couple of minor changes, including calling the table for tblAdmins and the field iUser is called iAdmins.

My problem is that I get nowhere... after clicking the submit button, it just takes me to the admlogin.php page even though the entry exists in the table. This is my code - ANY help greatly appreciated as I have spent hours on trying to figure out the problem:

<?php
// Check if the information has been filled in
if($psEmail == '' || $psPassword == '') {
// No login information
header('Location: adminlogin.php?refer='.urlencode($psRefer));
} else {
// Authenticate user
$hDB = mysql_connect('mysql.plainhost.com', 'userxxxxx', 'pwdxxxxxxx');
mysql_select_db('dbxxxx', $hDB);
$sQuery = "
Select iAdmins, MD5(UNIX_TIMESTAMP() + iAdmins + RAND(UNIX_TIMESTAMP())) sGUID
From tblAdmins
Where sEmail = '$psEmail'
And sPassword = password('$psPassword')";
$hResult = mysql_query($sQuery, $hDB);
if(mysql_num_rows($hResult)) {
$aResult = mysql_fetch_row($hResult);
// Update the user record
$sQuery = "
Update tblAdmins
Set sGUID = '$aResult[1]'
Where iAdmins = $aResult[0]";
mysql_query($sQuery, $hDB);
// Set the cookie and redirect
setcookie("session_id", $aResult[1]);
if(!$psRefer) $psRefer = 'index.htm';
header('Location: index.htm'.$psRefer);
} else {
// Not authenticated
header('Location: adminlogin.php?refer='.urlencode($psRefer));
}
}
?>


Thanks a whole lot for any pointers.


Ken

Reply With Quote
  #12  
Old September 16th, 2003, 05:34 PM
marshjs marshjs is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Sep 2003
Posts: 1 marshjs User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
What about session_start()

Why didn't you use the session functions in PHP, like session_start() or session_register()?

Is there a difference in what you present in the article, and session functions in PHP?

Thanks. Good article.

Reply With Quote
  #13  
Old September 16th, 2003, 08:35 PM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Re: Got trouble too

Ken:

Double check the following line:
Quote:
<?php
Set sGUID = '$aResult[1]'


Check the database record to see if it is actually getting set to the GUID or if it is something else. If the GUID isn't getting set, construct the SQL string the hard way: ... Set sGUID = '".$aResult[1]."' etc...

Also, make sure the query which checks the password is indeed returning something. Try putting echo() statments or printr() statements at each place a variable could change to see what it's value is at any given time.

If this still doesn't work, zip up all your scripts and attach them to a message here. I'll take a look that way.

Reply With Quote
  #14  
Old September 16th, 2003, 08:37 PM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Re: What about session_start()

Quote:
Originally posted by marshjs
Why didn't you use the session functions in PHP, like session_start() or session_register()?

Is there a difference in what you present in the article, and session functions in PHP?


The original purpose of this article was an exercise in NOT using PHP's built in Session handling. This concept can also be applied to other programming languages. For example, ASP's session handling is very inefficient so I implemented somthing very similar. Call it a distrust for built-in session handling in general. I like total control of my apps.

Reply With Quote
  #15  
Old September 16th, 2003, 08:39 PM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
icetea: Any luck? Take a look at my response to Ken to see if that helps. Same goes for you, if you are still having problems, zip up all your scripts (perhaps with some SQL to build the database table the way you have it) and post it to this board. I'll be happy to help.

J

Reply With Quote
  #16  
Old October 4th, 2003, 02:52 PM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Cookies on IIS

To anyone having unresolved issues with this script. One this that I just discovered is that IIS running PHP is a real pain with cookies. If you have a page that sets a cookie and immediately redirects using the header('Location... call then the cookie will not get set. The solution to this is to set the cookie, write some output and use JavaScript to recirect the page.

This would mean you have to change LoginAction.php to adhere to this. Please send me a private message if you think you are one of these people and I'll help you out.

Thanks,
Jason

Reply With Quote
  #17  
Old October 9th, 2003, 08:39 AM
Streamweaver Streamweaver is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Posts: 3 Streamweaver User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
First I want to thank the author for this article, it's been a big help.

I'm moderatly competent with PHP in general but haven't written a lot of authentication scripts.

I am currently trying to work with a modified version of this script (you can find files in a zip file here )

It seemed (an I don't know it is, it only seemed) that if a hacker read the cookie containing the sGUID they could possibly pass that to log in as long as the real user hasn't logged in again since the last session.

I wasn't sure if this add is worthwhile or not, but I added the following additional check and wanted to get your opinions as to weather this is worthwhile or a waste of time.

When a user is authenticated properly in LoginAction.php I insert the sGUID hash and an additional hash that is read from combining the user browser info and IP number. This isn't stored in a cookie and is instead rechecked everytime the sGUID is in the auth.php include.

Is this extra check actually helping?

Reply With Quote
  #18  
Old October 9th, 2003, 08:46 AM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Any additional check could work. But probably best deal is if you have expiration built in two fold:

(1) Expire the cookie
You have the cookie itself expire after, say, 20 minutes of inactivity. Each time the session includ file is hit you would have to refresh the cookie.

(2) Expire the field in the database
In your session script, you could run a delete query that would cleanup any GUIDs that have been inactive for 20 minutes. You would need a date/timestamp field on your user table and you would need to keep that up to date as well.

Another thing you can do is use the secure flag of setcookie(). That will encrypt the cookie on the user's computer.

There are many things you can do but a persistant hacker will eventually find his way into a system that he is targetting. He could have easliy packet sniffed the line for cleartext passwords if you aren't using SSL.

Jason

Reply With Quote
  #19  
Old October 9th, 2003, 08:47 AM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
An even simpler version would be for you to track JUST the IP in the user table (no need to hash it). But in either scenerio, AOL users will get kicked off frequently because of AOL's Mega Proxy. It frequently changes IP addresses in the middle of the user's session.

Reply With Quote
  #20  
Old October 9th, 2003, 10:23 AM
Streamweaver Streamweaver is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Posts: 3 Streamweaver User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Quote:
Originally posted by JAgostoni
(2) Expire the field in the database


Ok, sorry to be ignorant but how would I do this?

Reply With Quote
  #21  
Old October 9th, 2003, 10:29 AM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
I would do something like this:

- Add a date field to the table where you have stored the GUID
- In your session include file add the following:
* Update statment that updates this field each time the user hits it
* Update statment the Nulls the GUID for all records having this date field older than your timeout (e.g. 20 minutes)

Does this make sense?

Reply With Quote
  #22  
Old October 9th, 2003, 10:35 AM
Streamweaver Streamweaver is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Posts: 3 Streamweaver User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Perfect sense, thanks so much.

Reply With Quote
  #23  
Old October 18th, 2003, 07:53 PM
TinnyFusion TinnyFusion is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Posts: 13 TinnyFusion User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Question

Hi there, I wonder if you can explain to me where I may have gone wrong with your username & password script?

All the MySQL tables/data is setup ok and I can connect without any problems but when I enter my e-mail address and password it just takes me to a blank screen.
It does not matter if the e-mail/password is correct of not, all I get is the blank screen, please help?

Here is my code:

Login.php
PHP Code:
<html>
<
head><title>Login</title></head>
<
body>
<
form action="LoginAction.php" method="Post">
Email Address:<br />
<
input type="Text" name="psEmail" />
<
br />
Password:<br />
<
input type="password" name="psPassword" />
<
br />
<
input type="submit" value="Login" />
<
input type="hidden" name="psRefer" value="<? echo($refer) ?>"
</form>
</
body>
</
html


LoginAction.php
PHP Code:
<?php
// Check if the information has been filled in
if($psEmail == '' || $psPassword == '') {
// No login information
header('Location: Login.php?refer='.urlencode($psRefer));
} else {
// Authenticate user
$hDB mysql_connect('localhost''*****''*****');
mysql_select_db('auth'$hDB);
$sQuery "
Select iUser, MD5(UNIX_TIMESTAMP() + iUser + RAND(UNIX_TIMESTAMP())) sGUID
From tblUsers
Where sEmail = '
$psEmail'
And sPassword = password('
$psPassword')";
$hResult mysql_query($sQuery$hDB);
if 
mysql_num_rows($hResult)) {
$aResult mysql_fetch_row($hResult);
// Update the user record
$sQuery "
Update tblUsers
Set sGUID = '
$aResult[1]'
Where iUser = 
$aResult[0]";
mysql_query($sQuery$hDB);
// Set the cookie and redirect
setcookie("session_id"$aResult[1]);
if(!
$psRefer$psRefer 'email.php';
header('Location: '.$psRefer);
} else {
// Not authenticated
header('Location: Login.php?refer='.urlencode($psRefer));
}
}
?>


incSession.php
PHP Code:
<?php
// Check for a cookie, if none got to login page
if(!isset($HTTP_COOKIE_VARS['session_id'])) {
header('Location: Login.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SE  RVER_VARS['QUERY_STRING']));
}
// Try to find a match in the database
$sGUID $HTTP_COOKIE_VARS['session_id'];
$hDB mysql_connect('localhost''*****''*****');
mysql_select_db('database'$hDB);
$sQuery "
Select iUser
From tblUsers
Where sGUID = '
$sGUID'";
$hResult mysql_query($sQuery$hDB);
if(!
mysql_num_rows($hResult)) {
// No match for guid
header('Location: Login.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SE  RVER_VARS['QUERY_STRING']));
}
?>
index.php
PHP Code:
<html>
<
head>
<
title>Untitled Document</title>
<
meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<
meta http-equiv="refresh" content="1;URL=http://********/Login.php">
</
head>

<
body bgcolor="#FFFFFF" text="#000000">

</
body>
</
html


email.php (simply the page I want 'logged' in users to goto).
PHP Code:
<?PHP require('incSession.php'); ?>
<?php

$to_addr 
'****@****.net';

if (isset(
$_REQUEST['submit'])) {
   
$mail_body 'Name: '.$_REQUEST['name'];
   
$mail_body .= "\nEmail: ".$_REQUEST['email'];
   
$mail_body .= "\nMessage: ".$_REQUEST['message'];
   
mail($to_addr,'Form Feedback',$mail_body);
   print 
"Thank you for the feedback.";
} else {
   print<<<_HTML_
<form method="POST" action="$_SERVER[PHP_SELF]">
<table>
   <tr><td>Name:</td><td><input type="text" name="name"></td></tr>
   <tr><td>Email:</td><td><input type="text" name="email"></td></tr>
   <tr><td>Message:</td><td><textarea name="message"></textarea></td></tr>
   <tr><td colspan="2"><input name="submit" type="submit"></td></tr>
</form>
_HTML_;
}

?>



I have setup a test account with the following information:

e-mail address/username: test@test.com
password: test
PHP Code:
 INSERT INTO tblUsers Values
(
Null,
'test@test.com',
password('test'),
Null,
Null
); 


Also did I replace the following correctly as I left the extra ) in (check the code to see what I mean here)...

mysql_affected_rows($hDB)

to

mysql_num_rows($hResult)

and finally, is this set correctly in my php.ini file (the folder does exist) as I think it may be having problems saving the session maybe:

session.save_path = "D:\Temp"


My Setup and other misc information:

Apache Server v2.0.47, PHP v4.3.3, MySQL v4.0.15, ActivePerl v5.8.0, and phpMyAdmin v2.5.4 are installed (all latest versions at time of this post).

Kind Regards and thank you in advance, TinnyFusion

Reply With Quote
  #24  
Old October 20th, 2003, 01:22 PM
toffit toffit is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Posts: 2 toffit User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Hi, I have it to the point of writing a guid, but it doesn't seem to want to make the cookie. I had got it wwriting a cooke with an extra value to the setcookie part, but it still wont log me onto the page so i took it out and left it using your's. Is there any quick ideas that come to mind for a resolution?

Thankyou so much! it is great that you are doing this, helping alot of ppl i take my hat off to you.

Thanks for anything you can help with


-------------

EDIT: Oh wow After a day and half looking at this darn thing I have done it! weeeeeeeeee at last. Great script, hopefully it will keep us more secure thanks so much for writing that tute

(i had the sGUID='http cooke vars' bit under the query string. Doh! put it above and all is right with the world! finally i can go to bed. haha!

Well thankee. Budding coder tis me. hopefully I can give something back one day!

All the merries!

Reply With Quote
  #25  
Old October 21st, 2003, 01:40 AM
TinnyFusion TinnyFusion is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Posts: 13 TinnyFusion User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Unhappy

Well just so that everyone knows I have still NOT sorted my 'version' of the code out yet

Tell you what I am sure that I have had problems with cookies/sessions since the upgrade to the latest version of Apache2 as it is not just this script that has not worked... any suggestions to any changes in my httpd.conf / php.ini would be great etc...

P.S.

Quote:
(i had the sGUID='http cooke vars' bit under the query string. Doh! put it above and all is right with the world! finally i can go to bed. haha!


As you can see mine is just the same as yours in this respect...

Where sGUID = '$sGUID'";
$hResult = mysql_query($sQuery, $hDB);

Someone, anyone, please help with this!

Regartd, TinnyFusion

Reply With Quote
  #26  
Old October 21st, 2003, 08:22 AM
toffit toffit is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Posts: 2 toffit User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Ok, one or two things i put where as follows:

in login.php, there was a bit missing from the hidden input. it needs to be: <input type="hidden" name="psRefer" value="<? echo($refer) ?>" />
----------
loginaction.php: $sQuery = "
Update tblUsers
Set sGUID = '$aResult[1]'
Where iUser = ' $aResult[0]' ";
------------------

Perhaps that will help. It did seem to help mine. Does it even enter anything into sGUID?

Reply With Quote
  #27  
Old October 21st, 2003, 04:14 PM
TinnyFusion TinnyFusion is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Posts: 13 TinnyFusion User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Hi, I have made the changes you highlighted in your post but it still goes to a blank screen whenenver I enter a correct/uncorrect username & password.

I can enter data into the database tables as below shows, the test user has been entered without an issue.
In my php.ini I have the session directory set to D:\Temp but even when I enter the correct username & password nothing is written there?

# phpMyAdmin SQL Dump
# version 2.5.4
# http://www.phpmyadmin.net
#
# Host: localhost
# Generation Time: Oct 21, 2003 at 10:12 PM
# Server version: 4.0.15
# PHP Version: 4.3.3
#
# Database : `auth`
#

# --------------------------------------------------------

#
# Table structure for table `tblusers`
#

CREATE TABLE `tblusers` (
`iUser` int(10) unsigned NOT NULL auto_increment,
`sEmail` varchar(255) NOT NULL default '',
`sPassword` varchar(255) NOT NULL default '',
`sGUID` varchar(32) default NULL,
`sData` text,
PRIMARY KEY (`iUser`)
) TYPE=MyISAM AUTO_INCREMENT=4 ;

#
# Dumping data for table `tblusers`
#

INSERT INTO `tblusers` VALUES
INSERT INTO `tblusers` VALUES (1, 'test@test.com', '378b243e220ca493', NULL, NULL);

Reply With Quote
  #28  
Old November 15th, 2003, 02:00 PM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
Sorry it's been so long since I have visited this thread, for some reason I stopped getting notifications on replies.

TinyFusion, are you still having your problems? If so, zip up and attach the latest version of you code and I'll see if I can help!

Jason

Reply With Quote
  #29  
Old December 11th, 2003, 01:51 AM
morris morris is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Dec 2003
Posts: 2 morris User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
hi, i found very helpful your article. i used it to protect a medium site i have.

Is there a way to use it with directories?

e.g. when i use the include it goes:

include 'incSessions.php'

and that works fine, but if i refer to it from a subdirectory and write the whole path:

include 'http://www.mysite.com/incSessions.php'

it doesnt works, it loads both the login page and the page you are trying to access

is there an specific reason to why this ocurrs? can it be solved?

Reply With Quote
  #30  
Old December 11th, 2003, 07:29 AM
JAgostoni JAgostoni is offline
PHP Developer
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2003
Posts: 22 JAgostoni User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 4 m 47 sec
Reputation Power: 0
I think the problem may be that when you do an include using HTTP, it runs the PHP script on the remote server under a different session. If you want to include the incSession.php file from a different subdir on the SAME server you will need to use one of the following:
- The REAL path (e.g. /home/you/public_html/subdir/subdir...)
- A relative path (e.g includes/incSession.php)

See if that makes a difference

Reply With Quote
Reply

Viewing: Dev Articles Community ForumsCommunityDevelopment Tutorials > Article Discussion: Security and Sessions in PHP


Developer Shed Advertisers and Affiliates


Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump

Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 


Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.

© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap