User login (Authentiction, Sessions, Cookies?)

Hi!

For now this question is worth 500 points, but I might end up using up to 1000 points for this question alone, but that would mean I would need this solved. So here's the deal. It will stay at 500, and when I find a suitable answer, I will hike it up to 1000.

Now, to start - I have spent almost 50 hours working on a project for my final year, and, considering I am a PHP newbie, I am making an awful lot of progress, but I am struggling with user login (authentication, sessions, cookies). Everything is depending on this, as different users have different access, depending whether they have site admin, election official or voter status within the database tables.

I need the authentication method fixed. Either by cookies, sessions or whichever way is possible. From my code you will probably see what I am trying to do so making it work with minor changes to my code structure would be optimal.

I don't know how to present this question to you, as I can't paste my code here, as in total, with the database dump, my code will be over 80KB in size. I therefore need one person to commit to this question, and let us communicate directly via e-mail. My e-mail address is itbjdm (at) puk.ac.za for any interested parties... Those who need to contact me, must be willing to correct my roughly 80KB code to a working state, which should, for someone knowing PHP be a real breeze.

Regards,

Kobus
FolkLoreAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FolkLoreAuthor Commented:
As a matter of fact, let's go straight to 1000 points. I will increase it to 1000 points regardless, because I have just realized that it could be something other than my code, for example, my Apache/PHP setup as well, even though everything seems to work well.

Regards,

Kobus
0
FolkLoreAuthor Commented:
Please, are there no takers for this? This is really urgent, as my deadline is approaching like a speeding bullet! Any assistance would be greatly appreciated!

Kobus
0
gnudiffCommented:
I don't know, if anybody has already perhaps contacted you, but if not, here would be my comments.

The available assistance would probably depend on how much you want to be done for you.

There is some additional info that would be helpful, in determining whether such a task is worth undertaking for free (expert points is nice, but what you say implies rather a lot more work than just answering a question).

So, could you please tell, when we talk authentication system:

1. Do you need user administration pages, too? Or are they perhaps done already and just need to be linked to an auth system? Or are you OK with manually managing the user account info in the db, or wherever it will be stored?

2. How granular do you need the access? user/group based? On pages, or on functionality?

Note, that I talk "need", not "want". The less you really need, the higher the chances someone will pick up a task. ;)

>> Those who need to contact me, must be willing to correct my roughly 80KB code to a working state, which should, for someone knowing PHP be a real breeze.

Hah. It is no slight to your code, for I haven't seen it, but generally sifting through other people's code is one of the least appealing tasks in the development. And sometimes for good reasons too, see:  http://thedailywtf.com/ for some amusement.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

FolkLoreAuthor Commented:
Well, basically, my problem comes with after logging in, passing the login name and password over to other pages. Seems like a simple session issue, which could be a server setup issue as well. Here is the scenario:

1) index.php brings up welcome text, with a box on the left saying "login" or "register".
2) If you click on "register", a password is generated for you, and will eventually be mailed to you, for now displayed on screen.
3) If you have registered, you can click "log in", which brings up login.php
4) In login.php, you enter username and password.
5) If the username and password validates, it passes you back to index.php, which will now, supposedly, add another menu to which only logged in users have access to, to the left bar.
6) When moving back over to the index.php file, the values for username and password gets lost.

To give you an example of how long it took me to try different approaches to try and solve the problem - to modify my code in all file took a mighty 5 minutes per try to change all files. Meaning, if you know what you're doing and you understand my code structure, you will be able to implement whatever you need within minutes. I just don't know how to do it.

My code is clean, well indented (even though a bit amateurish, as I am a PHP beginner) and understandible. Now and then you will see places where it can be optimized, but I don't require that. I just want the session variables to be passed over successfully.

To answer your questions:

1. Do I need administration pages? Well, there are certain pages that should only be accessible to people with the required rights. Those are my responsibility, and  have made several of them already. I just want to be able to link them to the auth system. For example (this should be in the menu, which I will add once the auth system works, with additional checks whether the requested function was not called from the address bar - if (user_access("voter")... at the start of each restricted file),

if (user_access("voter") {
   ...
}
elseif (user_access("official") {
    ...
}
elseif (user...
...
...

I am not sure whether I understand your question's second part correctly. My user information is stored in the database. The webmaster can change status of a user to official, but otherwise, when they register, they are added as "voters". It is a table in my database, which will be manipulated via PHP on the page.

2. I have three groups. Voter, Official, Admin. My database table design provides for several users of each type, of which most will be voters. Voters may see these pages, admins my perform admin functions, officials may audit the election, blah blah. So, I guess the granularity would be on functionality, not pages. I am not looking for a highly secure system. Only something that will suffice for this project's needs. Students who vote may not access the admin pages, or unregistered students may not see election results. Simple as that - no additional security needed.

My code is not a serious 80KB, really. This is all the files in my directory, including a dump of my database tables. Here's what I will do: I will send the files to you if you provide me with a method to do so, and you can give them a quick glimpse, and should you not be willing to work on this, I will award you 50 points anyways for checking up to now. If you are willing to check the code, and fix the variable passing for me, I will award you the entire 1000 points, providing that it works after you changed it. I doubt you'd have to change much, really - I am just to inexperienced to find the problem.

How does that sound? Where can I send the code? You'll have to create the database from my dump, and also need web space(localhost should be fine - that's how I code as well) to actually run the project and see if the session variables carry over correctly. If it works on your side without you changing it, it means I had it correct all this time, but there is a problem with my configuration, however, I doubt that this is the case. I am pretty much sure my code is bogus as far as the sessions are concerned.

Regards

Kobus
0
FolkLoreAuthor Commented:
What I can do is upload the files somewhere and give you an FTP login so that you can download it if you wish? That is if you are a bit weary of giving out your e-mail address :)

Kobus
0
FolkLoreAuthor Commented:
For those of you who want to see what this is about, look at http://projek3.delighted.info

The problem is that you will see only a bit, as the admin pages are currently unavailable, because I can't pass the session variables properly! :(

Kobus
0
Oliver_DornaufCommented:
Why do not use .htaccess and use the remoteuser var from pache?
0
FolkLoreAuthor Commented:
I have no idea what you're talking about. I am a beginner with web servers, php and mysql. Besides, I am developing on Windows, not sure there is even an .htaccess under the Windows version...

Kobus
0
FolkLoreAuthor Commented:
By the way - previously I was able to set the number of points a question was worth. I am now unable to increase this value. Am I stupid or something? I want to hike the points up to 1000.

Kobus
0
gnudiffCommented:
Max points for a single question is now 500 I think.
If you want to give more for the answer, just open another question and say that it is for the person who gave you answer to the other question. Dunno if it is allowed by EE rules - check first.

As regards your question.
I am sorry, I misread you originally - I thought you didn't have any auth system in place, and wanted someone to make one for you. :)

I would stick to session based authentication, although what Oliver_Dornauf  says I would even call a better solution. However, modifying .htaccess and relying on server instead of PHP to do your authentication, while proper, can be sometimes undesireable.

As regards session based authentication, the mechanism which would work would be something like this:

- Have a global PHP include file included in all your pages and which does not send ANY output to the user. Called eg. conf.inc.php . It is always a good idea to have something like that. You probably have it already.
Put a " session_start(); " in it somewhere in the beginning.

- In that file include another file called something like security.inc.php, which should do the following:

check if a session "user" variable is set (means user is logged on).
if not, and the requested page is not the login page -> redirect user to login page.
else let page go on.

-- security.inc.php:
<?php
   
   // don't remember the script checking by heart, might need a bit different syntax on $_SERVER:
    if (empty($_SESSION['USER']) && $_SERVER["PHP_SELF"] != "/login.php" )
     {
         header("Loctation: /login.php");
         return;
      }
?>

In the login.php page there should be eg. a  self-submitting form like this:

<?
    if ($_REQUEST['"action"] == "login")
     {
         //HERE should check if $_REQUEST["login"] & $_REQUEST["pass"] match user in db?
          $access = // also can get back from database user access level (Voter/ Official /Admin)
          if (valid login )
          {
              $_SESSION["user"]=$_REQUEST["login"];
               $_SESSION["access"]=$access;
               header("Location: /index.php");
                return;
          }
          // give some error message about invalid login here
     }

?>
<form method="POST">
<input type="hidden" name="action" value="login" />
Login: <input name="login" type="text" />
Password: <input name="pass" type="password" />
</form>


And, if you need some pages to be available only for Admins or Officials,
just put a check in front of them:

<?php
    require_once('conf.inc.php'); // your sitewide config file that includes also user auth
    if ($_SESSION['access'] != 'Admin')
      {
             Header("Location: /access_denied_page.php");
             return;
       }
?>
....

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gnudiffCommented:
sorry, as I am in a bit of a hurry, there are several errors.
like case-mixing on $_SESSION vars, and "Loctation" instead of "Location". Read with care. :)
0
FolkLoreAuthor Commented:
gnudiff,

Thanks for your input. I will see what I can do about this tonight. Once I make any progress, I will post it here.

As for the maximum number of points, I will most certainly have more questions lateron, and will then award the additional 500 points there, I think :)

I'll keep you posted, thanks!

Kobus
0
FolkLoreAuthor Commented:
gnudiff,

Using your suggestions and also some other sources of reading, I managed to get the sessions correct. One thing is for sure - I'll never forget that again! Thanks for your help!

Kobus
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.