Solved

User login (Authentiction, Sessions, Cookies?)

Posted on 2004-10-31
200 Views
Last Modified: 2008-03-03
Hi!

For now this question is worth 500 points, but I might end up using up to 1000 points for this question alone, but that would mean I would need this solved. So here's the deal. It will stay at 500, and when I find a suitable answer, I will hike it up to 1000.

Now, to start - I have spent almost 50 hours working on a project for my final year, and, considering I am a PHP newbie, I am making an awful lot of progress, but I am struggling with user login (authentication, sessions, cookies). Everything is depending on this, as different users have different access, depending whether they have site admin, election official or voter status within the database tables.

I need the authentication method fixed. Either by cookies, sessions or whichever way is possible. From my code you will probably see what I am trying to do so making it work with minor changes to my code structure would be optimal.

I don't know how to present this question to you, as I can't paste my code here, as in total, with the database dump, my code will be over 80KB in size. I therefore need one person to commit to this question, and let us communicate directly via e-mail. My e-mail address is itbjdm (at) puk.ac.za for any interested parties... Those who need to contact me, must be willing to correct my roughly 80KB code to a working state, which should, for someone knowing PHP be a real breeze.

Regards,

Kobus
0
Question by:FolkLore
    13 Comments
     

    Author Comment

    by:FolkLore
    As a matter of fact, let's go straight to 1000 points. I will increase it to 1000 points regardless, because I have just realized that it could be something other than my code, for example, my Apache/PHP setup as well, even though everything seems to work well.

    Regards,

    Kobus
    0
     

    Author Comment

    by:FolkLore
    Please, are there no takers for this? This is really urgent, as my deadline is approaching like a speeding bullet! Any assistance would be greatly appreciated!

    Kobus
    0
     
    LVL 3

    Expert Comment

    by:gnudiff
    I don't know, if anybody has already perhaps contacted you, but if not, here would be my comments.

    The available assistance would probably depend on how much you want to be done for you.

    There is some additional info that would be helpful, in determining whether such a task is worth undertaking for free (expert points is nice, but what you say implies rather a lot more work than just answering a question).

    So, could you please tell, when we talk authentication system:

    1. Do you need user administration pages, too? Or are they perhaps done already and just need to be linked to an auth system? Or are you OK with manually managing the user account info in the db, or wherever it will be stored?

    2. How granular do you need the access? user/group based? On pages, or on functionality?

    Note, that I talk "need", not "want". The less you really need, the higher the chances someone will pick up a task. ;)

    >> Those who need to contact me, must be willing to correct my roughly 80KB code to a working state, which should, for someone knowing PHP be a real breeze.

    Hah. It is no slight to your code, for I haven't seen it, but generally sifting through other people's code is one of the least appealing tasks in the development. And sometimes for good reasons too, see:  http://thedailywtf.com/ for some amusement.
    0
     

    Author Comment

    by:FolkLore
    Well, basically, my problem comes with after logging in, passing the login name and password over to other pages. Seems like a simple session issue, which could be a server setup issue as well. Here is the scenario:

    1) index.php brings up welcome text, with a box on the left saying "login" or "register".
    2) If you click on "register", a password is generated for you, and will eventually be mailed to you, for now displayed on screen.
    3) If you have registered, you can click "log in", which brings up login.php
    4) In login.php, you enter username and password.
    5) If the username and password validates, it passes you back to index.php, which will now, supposedly, add another menu to which only logged in users have access to, to the left bar.
    6) When moving back over to the index.php file, the values for username and password gets lost.

    To give you an example of how long it took me to try different approaches to try and solve the problem - to modify my code in all file took a mighty 5 minutes per try to change all files. Meaning, if you know what you're doing and you understand my code structure, you will be able to implement whatever you need within minutes. I just don't know how to do it.

    My code is clean, well indented (even though a bit amateurish, as I am a PHP beginner) and understandible. Now and then you will see places where it can be optimized, but I don't require that. I just want the session variables to be passed over successfully.

    To answer your questions:

    1. Do I need administration pages? Well, there are certain pages that should only be accessible to people with the required rights. Those are my responsibility, and  have made several of them already. I just want to be able to link them to the auth system. For example (this should be in the menu, which I will add once the auth system works, with additional checks whether the requested function was not called from the address bar - if (user_access("voter")... at the start of each restricted file),

    if (user_access("voter") {
       ...
    }
    elseif (user_access("official") {
        ...
    }
    elseif (user...
    ...
    ...

    I am not sure whether I understand your question's second part correctly. My user information is stored in the database. The webmaster can change status of a user to official, but otherwise, when they register, they are added as "voters". It is a table in my database, which will be manipulated via PHP on the page.

    2. I have three groups. Voter, Official, Admin. My database table design provides for several users of each type, of which most will be voters. Voters may see these pages, admins my perform admin functions, officials may audit the election, blah blah. So, I guess the granularity would be on functionality, not pages. I am not looking for a highly secure system. Only something that will suffice for this project's needs. Students who vote may not access the admin pages, or unregistered students may not see election results. Simple as that - no additional security needed.

    My code is not a serious 80KB, really. This is all the files in my directory, including a dump of my database tables. Here's what I will do: I will send the files to you if you provide me with a method to do so, and you can give them a quick glimpse, and should you not be willing to work on this, I will award you 50 points anyways for checking up to now. If you are willing to check the code, and fix the variable passing for me, I will award you the entire 1000 points, providing that it works after you changed it. I doubt you'd have to change much, really - I am just to inexperienced to find the problem.

    How does that sound? Where can I send the code? You'll have to create the database from my dump, and also need web space(localhost should be fine - that's how I code as well) to actually run the project and see if the session variables carry over correctly. If it works on your side without you changing it, it means I had it correct all this time, but there is a problem with my configuration, however, I doubt that this is the case. I am pretty much sure my code is bogus as far as the sessions are concerned.

    Regards

    Kobus
    0
     

    Author Comment

    by:FolkLore
    What I can do is upload the files somewhere and give you an FTP login so that you can download it if you wish? That is if you are a bit weary of giving out your e-mail address :)

    Kobus
    0
     

    Author Comment

    by:FolkLore
    For those of you who want to see what this is about, look at http://projek3.delighted.info

    The problem is that you will see only a bit, as the admin pages are currently unavailable, because I can't pass the session variables properly! :(

    Kobus
    0
     
    LVL 4

    Expert Comment

    by:Oliver_Dornauf
    Why do not use .htaccess and use the remoteuser var from pache?
    0
     

    Author Comment

    by:FolkLore
    I have no idea what you're talking about. I am a beginner with web servers, php and mysql. Besides, I am developing on Windows, not sure there is even an .htaccess under the Windows version...

    Kobus
    0
     

    Author Comment

    by:FolkLore
    By the way - previously I was able to set the number of points a question was worth. I am now unable to increase this value. Am I stupid or something? I want to hike the points up to 1000.

    Kobus
    0
     
    LVL 3

    Accepted Solution

    by:
    Max points for a single question is now 500 I think.
    If you want to give more for the answer, just open another question and say that it is for the person who gave you answer to the other question. Dunno if it is allowed by EE rules - check first.

    As regards your question.
    I am sorry, I misread you originally - I thought you didn't have any auth system in place, and wanted someone to make one for you. :)

    I would stick to session based authentication, although what Oliver_Dornauf  says I would even call a better solution. However, modifying .htaccess and relying on server instead of PHP to do your authentication, while proper, can be sometimes undesireable.

    As regards session based authentication, the mechanism which would work would be something like this:

    - Have a global PHP include file included in all your pages and which does not send ANY output to the user. Called eg. conf.inc.php . It is always a good idea to have something like that. You probably have it already.
    Put a " session_start(); " in it somewhere in the beginning.

    - In that file include another file called something like security.inc.php, which should do the following:

    check if a session "user" variable is set (means user is logged on).
    if not, and the requested page is not the login page -> redirect user to login page.
    else let page go on.

    -- security.inc.php:
    <?php
       
       // don't remember the script checking by heart, might need a bit different syntax on $_SERVER:
        if (empty($_SESSION['USER']) && $_SERVER["PHP_SELF"] != "/login.php" )
         {
             header("Loctation: /login.php");
             return;
          }
    ?>

    In the login.php page there should be eg. a  self-submitting form like this:

    <?
        if ($_REQUEST['"action"] == "login")
         {
             //HERE should check if $_REQUEST["login"] & $_REQUEST["pass"] match user in db?
              $access = // also can get back from database user access level (Voter/ Official /Admin)
              if (valid login )
              {
                  $_SESSION["user"]=$_REQUEST["login"];
                   $_SESSION["access"]=$access;
                   header("Location: /index.php");
                    return;
              }
              // give some error message about invalid login here
         }

    ?>
    <form method="POST">
    <input type="hidden" name="action" value="login" />
    Login: <input name="login" type="text" />
    Password: <input name="pass" type="password" />
    </form>


    And, if you need some pages to be available only for Admins or Officials,
    just put a check in front of them:

    <?php
        require_once('conf.inc.php'); // your sitewide config file that includes also user auth
        if ($_SESSION['access'] != 'Admin')
          {
                 Header("Location: /access_denied_page.php");
                 return;
           }
    ?>
    ....

    0
     
    LVL 3

    Expert Comment

    by:gnudiff
    sorry, as I am in a bit of a hurry, there are several errors.
    like case-mixing on $_SESSION vars, and "Loctation" instead of "Location". Read with care. :)
    0
     

    Author Comment

    by:FolkLore
    gnudiff,

    Thanks for your input. I will see what I can do about this tonight. Once I make any progress, I will post it here.

    As for the maximum number of points, I will most certainly have more questions lateron, and will then award the additional 500 points there, I think :)

    I'll keep you posted, thanks!

    Kobus
    0
     

    Author Comment

    by:FolkLore
    gnudiff,

    Using your suggestions and also some other sources of reading, I managed to get the sessions correct. One thing is for sure - I'll never forget that again! Thanks for your help!

    Kobus
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    The Client Need Led Us to RSS I recently had an investment company ask me how they might notify their constituents about their newsworthy publications.  Probably you would think "Facebook" or "Twitter" but this is an interesting client.  Their cons…
    Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
    The viewer will learn how to dynamically set the form action using jQuery.
    The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now