HTTP Authentication

Hi,

I am having a problem with my newly added authorization.  I am asked to supply  credentials to enter the site (which I want), but it appears to require me to supply them again sometime between line 24 to 44 (which I do not want).   Also, when asked for the credentials a 2nd time it will not except the credentials entered.  Any help would be appreciated.  Thank you.
<?php
 //authorization
 require_once('authvars.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
    <title>TCV Path</title>
  <link href="tcvpath.css" rel="stylesheet" type="text/css">
  </head>
	<body>
	 <p><img src="transconlogo12-12_jkqn" alt="Transcontinental Valuations logo." height="80" width="396" /></p>
<?php
	if(isset($_POST['submit'])){
		$output_form=false;
		if(empty($search_criteria)){
		echo 'no TC number entered.<br />';
		$output_form=true;
		}
		} 
	else {
		$output_form=true;
		}
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <?php

require_once('connvars.php');

  
 $dbc=mysqli_connect(db_host,db_user,db_password,db_name)or die('Error connecting to MySQL server.');

  $search_criteria=$_POST['searchcriteria'];
   $query="Select * from job where tc_number='$search_criteria'";
   $result=mysqli_query($dbc,$query) or die($query.mysql_error('query error'));
  while ($row=mysqli_fetch_array($result)){
    $row['job_id'];

$text = $row['tc_number'];

$link = 'propinsp.php?job_id='.$row['job_id'].'&amp;tc_number='.$row['tc_number'].'&amp;prop_addr_1='.$row['prop_addr_1'].'&amp;prop_city=' . $row['prop_city'].'&amp;prop_state=' . $row['prop_state'].'&amp;prop_county='.$row['prop_county'].'&amp;prop_zip='.$row['prop_zip'];


    echo "<a href='$link'>$text</a>";

} 
?>
  </h4>
<div id="search">
Enter TC Number<input class="searchtext" id="searchcriteria" name="searchcriteria" value="" /><input class="headerSubmit" id="go" name="go" value="Go" type="submit" />
</div>

<div id="nav">
<ul id="headerNav">
<li><a href="manualentry.php" title="manualentry">Job Entry</a></li>
<li><a href="pending.php" title="Pending">Pending</a></li>
<li><a href="pendingreview.php" title="Pending">Pending Review</a></li>
<li><a href="completed.php" title="Completed">Completed</a></li>
<li><a href="supporttables.php" title="supporttables">Support Tables</a></li>
<li class="headerRight"><a href="/logout" title="Logout">Logout</a></li>
</ul>
</div>
</form>
</body>
</html>

Open in new window

rcowen00Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hieloCommented:
are you creating session variables? If yes, you are not calling sessin_start!
What is in authvars.php and connvars.php?  On what you posted, nothing seems to indicate that you are being asked to authenticate more than once.
0
rdivilbissCommented:
Don't reinvent the wheel.  http://www.experts-exchange.com/articles/Web_Development/Miscellaneous/A-Better-Website-Login-System-the-EE-Collaborative-Login-System.html

Also you have unfiltered input on line 33: $search_criteria=$_POST['searchcriteria'];
which opens you to a SQL injection on line 34.

Regards,
Rod
0
rcowen00Author Commented:
rdivilbiss,  
Thanks for the recommendation for the login system.  I have been working on getting it up and running.  I have been successful in working through some errors I am getting, but these final three have me stumped.  Any suggestions?  I have included the login.php.
 
Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transconvalue/html/login_system/connvars.php:9) in /home/content/t/r/a/transconvalue/html/login_system/include/login.php on line 11

Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transconvalue/html/login_system/connvars.php:9) in /home/content/t/r/a/transconvalue/html/login_system/include/login.php on line 12

Fatal error: Call to undefined function li_checkForLocked() in /home/content/t/r/a/transconvalue/html/login_system/include/login.php on line 120

<?PHP
/*******************************************************************************************************************
* Page Name: Login
* Last Modification: 19 APR 2010 rdivilbiss
* Version:  alpha 0.1a Debug Version
* On Entry: check for destination, $_SESSION["login"], and for SSL state
* Input   : userid, password
* Output  : message, possible logging of login
* On Exit : continuation link
******************************************************************************************************************/
header("Pragma: No-cache");
header("Cache-control: No-cache");
/*******************************************************************************************************************
* Declare all page variables and initialize their default values
*******************************************************************************************************************/

$dbMsg="";
$redirected="";
$destination="";
$password="";
$passhash="";
$userid="";
$useridValue="";
$name="";
$remember="";
$message= lg_term_please_login;
$ip = $_SERVER["REMOTE_ADDR"];
$date = dbNow();
$useragent = htmlentities(substr($_SERVER["HTTP_USER_AGENT"],1,255));
$locked="";

if ($_SERVER["REQUEST_METHOD"]!="POST") {
	if (lg_debug) { $dbMsg .= "METHOD GET<br />\n"; }
	/*******************************************************************************************************************
	* On entry determine if we have a destination page
	*******************************************************************************************************************/
	if (lg_debug) { $dbMsg .= "Checking for destination parameter <br />\n"; }
	$destination = getField("p,urlpath,get");
	if ($destination=="") {
		$destination = lg_success_page;
		if (lg_debug) { $dbMsg .= "Destination = ".$destination." <br />\n"; }
	}
	
	
	/*******************************************************************************************************************
	* If already logged on, redirect
	*******************************************************************************************************************/
	if (lg_debug) { $dbMsg .= "Checking for session login <br />\n"; }
	if (isset($_SESSION["login"])) {
		if ($_SESSION["login"]) {
			if (lg_debug) { $dbMsg .= "Session login = ".$_SESSION["login"]." <br />\n"; }
			if (lg_useSSL) {
				if (lg_debug) { $dbMsg .= "Use SSL is True <br />\n"; }
				header("Location: https://". lg_domain_secure . lg_loginPath . $destination);
			}else{
				if (lg_debug) { $dbMsg .= "Use SSL is False <br />\n"; }
				header("Location: http://". lg_domain . lg_loginPath . $destination);
			}
		}
	}
	
	/*******************************************************************************************************************
	* Is login state saved in the user's cookies? If so log user in
	*******************************************************************************************************************/
	if (lg_debug) { $dbMsg .= "Checking for cookie <br />\n"; }
	if (isset($_COOKIE["user"])) {
		/*******************************************************************************************************************
		* Is the userid or IP locked out?
		*******************************************************************************************************************/
		if (lg_debug) { $dbMsg .= "Has cookie but checking for loginAttempt lock out <br />\n"; }
		li_checkForLocked($ip,$_COOKIE["user"],$dbResults);
		if ($dbResults["locked"]==1) {
			header("Location: http://". lg_domain . lg_forbidden);
		}
		if (lg_debug) { $dbMsg .= "Has Cookie and not locked out <br />\n"; }
			
		/*******************************************************************************************************************
		* Lookup user's name and locked from users table
		*******************************************************************************************************************/
		if (lg_debug) { $dbMsg .= "Looking up name in database <br />\n"; }
		li_getName($_SESSION["userid"],$dbResults);
		
		$name = $dbResults["name"];
		if ($dbResults["locked"]==1) {
			header("Location: http://". lg_domain . lg_forbidden);
		}
		session_regenerate_id(true); // anti-session fixation
		$_SESSION["name"]=name;
		if (lg_debug) { $dbMsg .= "Name = ".$name." <br />\n"; }

		/*******************************************************************************************************************
		* Not locked out, login via cookie
		*******************************************************************************************************************/
		$_SESSION["login"]=true;
		$_SESSION["userid"]=$_COOKIE["user"];
		if (lg_debug) { $dbMsg .= "Session login set to True <br />\n"; }
		if (lg_debug) { $dbMsg .= "Session userid = ".$_SESSION["userid"]." <br />\n"; }
					
		/*******************************************************************************************************************
		* If we are logging user authentications, write to the logins table
		*******************************************************************************************************************/
		if (lg_log_logins) {
			if (lg_debug) { $dbMsg .= "Logging the Login <br />\n"; }
			if (lg_debug) { $dbMsg .= "date = ".$date." <br />\n"; }
			if (lg_debug) { $dbMsg .= "userid = ".$userid." <br />\n"; }
			if (lg_debug) { $dbMsg .= "ip = ".$ip." <br />\n"; }
			if (lg_debug) { $dbMsg .= "useragent = ".$useragent." <br />\n"; }
			li_logLogin($date,$userid,$ip,$useragent);
		}
		
		/*******************************************************************************************************************
		* Logged in, redirect
		*******************************************************************************************************************/
		if (lg_debug) { $dbMsg .= "Logged in redirecting to https://". lg_domain . lg_loginPath . $destination." <br />\n"; }
		header("Location: https://" . lg_domain . lg_loginPath . $destination);
	}else{
		/*******************************************************************************************************************
		* No cookie but IP could be locked out.
		*******************************************************************************************************************/
		li_checkForLocked($ip,'',$dbResults);
		if ($dbResults["locked"]==1) {
			header("Location: http://". lg_domain . lg_forbidden);
			exit();
		}
		/*******************************************************************************************************************
		* Not locked out but need to create loginAttempt record
		*******************************************************************************************************************/
		li_createLoginAttempt($date, $ip);
	
		/*******************************************************************************************************************
		* NOT LOGGED IN: If SSL required and not using SSL, redirect to https
		*******************************************************************************************************************/
		if ((lg_useSSL) && ($_SERVER["SERVER_PORT_SECURE"]=="0")) {
			if (lg_debug) { $dbMsg .= "Not logged in: redirected to https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
			header("Location: https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination);
		}
	}	
}else{
	/*******************************************************************************************************************
	* The form was posted, process the form
	*******************************************************************************************************************/
	if (lg_debug) { $dbMsg .= "POST - Process fields <br />\n"; }
	//checkToken();
	$message = "";
	$password = getField("password,safe");
	$userid = getField("userid,safe");
	$remember = getField("remember,alpha"); // Yes or empty
	$destination = getField("destination,urlpath");       // saved final destination
	if (lg_debug) { $dbMsg .= "POSTED password = ".$password." <br />\n"; }
	if (lg_debug) { $dbMsg .= "POSTED userid = ".$userid." <br />\n"; }
	if (lg_debug) { $dbMsg .= "POSTED remember = ".$remember." <br />\n"; }
	if ($userid=="") {
		$message .= lg_phrase_userid_empty . "<br />\n";
	}else{
		$useridValue = htmlentities($userid);
		if (lg_debug) { $dbMsg .= "htmlentities userid = ".$useridValue." <br />\n"; }
	}
	if ($password=="") {
		$message .= lg_phrase_password_empty . "<br />\n";
	}
	if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
	if ($message=="") {
		/*******************************************************************************************************************
		* If all required fields exist, attempt to autenticate the credentials
		*******************************************************************************************************************/
		if (lg_debug) { $dbMsg .= "Looking up login details from database <br />\n"; }
		li_getLoginDetails($userid, $dbResults);
		$passhash = $dbResults["password"];
		$name = $dbResults["name"];
		$locked = (string) $dbResults["locked"];
		if (lg_debug) { $dbMsg .= "Calculated Passhash = ".sha1($password . $userid)."<br />\n"; }
		if (lg_debug) { $dbMsg .= "Database Passhash   = ".$passhash." <br />\n"; }
		if (lg_debug) { $dbMsg .= "Name = ".$name." <br />\n"; }
		if (lg_debug) { $dbMsg .= "Locked = ".$locked." <br />\n"; }
		if ($locked!="1") {
			if (lg_debug) { $dbMsg .= "Account Not Locked <br />\n"; }
			if ($passhash==sha1($password . $userid)) {
				if (lg_debug) { $dbMsg .= "Passhash matches password <br />\n"; }
				/*******************************************************************************************************************
				* If credential are valid log the user in
				*******************************************************************************************************************/
				session_regenerate_id(true); // anti-session fixation
				$_SESSION["login"]=true;
				$_SESSION["userid"]=$userid;
				$_SESSION["name"]=$name;
				if (lg_debug) { $dbMsg .= "Session login set to True <br />\n"; }
				if (lg_debug) { $dbMsg .= "Session userid set to ".$userid." <br />\n"; }
				if (lg_debug) { $dbMsg .= "Session name set to ".$name." <br />\n"; }
				
				/*******************************************************************************************************************
				* If the user wishes to have authentication remembered, write the permanent cookies
				*******************************************************************************************************************/
				if (lg_debug) { $dbMsg .= "lg_term_remember = ".lg_term_remember." <br />\n"; }
				if (lg_debug) { $dbMsg .= "getField remember = ".getField("remember")." <br />\n"; }
				if ((lg_term_remember) AND (getField("remember")=="Yes")) {
					if (lg_debug) { $dbMsg .= "Setting cookie user <br />\n"; }
					setcookie("user", $value, time()+31536000); // 1 Year
				}
			
				/*******************************************************************************************************************
				* If we are logging user authentications, write to the logins table
				*******************************************************************************************************************/
				if (lg_log_logins) {
					if (lg_debug) { $dbMsg .= "Logging the Login <br />\n"; }
					if (lg_debug) { $dbMsg .= "date = ".$date." <br />\n"; }
					if (lg_debug) { $dbMsg .= "userid = ".$userid." <br />\n"; }
					if (lg_debug) { $dbMsg .= "ip = ".$ip." <br />\n"; }
					if (lg_debug) { $dbMsg .= "useragent = ".$useragent." <br />\n"; }
					li_logLogin($date,$userid,$ip,$useragent);
				}
				
				/*******************************************************************************************************************
				* Delete the login attempt record
				*******************************************************************************************************************/
				li_deleteLoginAttempt($pIp, $pUserid);
				
				/*******************************************************************************************************************
				* Logged in, redirect
				*******************************************************************************************************************/
				if (lg_debug) { $dbMsg .= "Logged In::Redirect <br />\n"; }
				if (lg_debug) { $dbMsg .= "Use SSL = ".lg_useSSL." <br />\n"; }
				if (lg_debug) { $dbMsg .= "Server Port Secure = ".$_SERVER["SERVER_PORT_SECURE"]." <br />\n"; }
				if ((lg_useSSL) && ($_SERVER["SERVER_PORT_SECURE"]=="0")) {
					if (lg_debug) { $dbMsg .= "REDIRECTING TO: https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
					header("Location: https://" . lg_domain . lg_loginPath . $destination);
				}else{
					if (lg_debug) { $dbMsg .= "REDIRECTING TO: http://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
					header("Location: http://" . lg_domain . lg_loginPath . $destination);
				}
			}else{
				$message = lg_phrase_login_error;
				if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
			}
		}else{
			$message = lg_phrase_login_error_token;
			if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
		}		
		
	}
	if ($message!="") { // failed login attempt for one of several reasons.
  		if (lg_debug) { $dbMsg .= "getLoginAttemptRecord: IP = ".$ip." UserId = ".$userid." <br />\n"; }
		li_getLoginAttemptRecord($ip, $userid, $dbResults);
		$id = $dbResults["id"];
		$laNumber = $dbResults["number"]+1;
		
		if (lg_debug) { $dbMsg .= "ID = ".$id."<br />\n"; }
		//if (lg_debug) { $dbMsg .= "db Number = ".$dbResults["number"]."<br />\n"; }
		if (lg_debug) { $dbMsg .= "iaNumber = ". $laNumber ."<br />\n"; }
		if ($laNumber >= lg_login_attempts) {
			/*******************************************************************************************************************
			* Lock the account and redirect to forbidden
			*******************************************************************************************************************/
			$locked = "1";
			li_lockLoginAttemtpt($locked,$laNumber,$id);
			if (lg_debug) { $dbMsg .= "Lock Login Attempt: ID = " . $id ." Number = ". $laNumber. " numAffected = ". $numAffected ."<br />\n"; }
			if (!lg_debug) { 
				header("Location: http://". lg_domain . lg_forbidden);
				exit();
			}	
		}else{	
		/*******************************************************************************************************************
		* Update the login attempt record
		*******************************************************************************************************************/
			li_updateLoginAttempt($userid, $laNumber, $date, $id);
			if (lg_debug) { $dbMsg .= "Updated Login Attempt: ID = " . $id ." Number = ". $laNumber . " numAffected = ".$numAffected ."<br />\n"; }
			//exit();
		}
	}	
}
?>

Open in new window

0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

rdivilbissCommented:
Your page is doing some sort of output before the login.php is, and there is a database access error.  What is the code in connvars.php?

Login.php would be an include on YOUR login page.  Can you post the code for that page.

It should have the code in the following attachment.

Regards,
Rod





<?php
// close to the top of the page
include "include/generalPurpose.php";
include "include/form_token.php";
include "include/loginGlobals.php";
include "include/database.php"; <-- this page has the li_checkForLocked() function
include "include/login.php"; // <-- this page would not be called alone
?>

<!-- somewhere in the body -->
<?PHP include "include/login-markup.php"; ?>

Open in new window

0
rdivilbissCommented:
Login.php is the only confusing page.  In the example pages you downloaded, the pages in the /login-system/ folder contains a login.php which is an example of what you need to include in your page.

Unfortunately, in the include folder is also a login.php page, so that part could cause confusion.

/login-system/include/login.php would be included in another page...the example being;

/login-system/login.php

Also, being a often implemented quickly changing set of code, we are now at alpha 0.1b, which is newer than your download (not that I think any changes have anything to do with your errors.)

R


0
rcowen00Author Commented:
Just to clarify, /login-system/login.php is the example and /login-system/include/login.php needs to be included into my "login" page.  Am I understanding correclty?  Thank you.
0
Shinesh PremrajanEngineering ManagerCommented:
You need to search for the function li_checkForLocked() then include the file name in the login.php file.

Hope this helps
0
rdivilbissCommented:
@shinuq, Your information is incorrect.  I can be quite positive as I wrote most of the code.

There is (as per the code distribution) a login.php in the top level folder, which is /login-system/ and in the /login-system/include/ folder there are the login.php and login-markup.php files.

The login.php file in the /login-system/ folder is meant to be replaced with a file that has your websites markup AND includes some additional files from the  /login-system/include/ folder.

The example page in the code package in the /login-system/ folder should be what is attached in the following code block. (another comment will follow)
<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {
	session_start();
}

include "include/generalPurpose.php";
include "include/form_token.php";
include "include/loginGlobals.php";
include "include/database.php";
include "include/login.php";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<title><?PHP echo lg_term_login?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="content-language" content="en-US" />
<meta name="language" content="en-US" />
<meta name="author" content="Roderick Divilbiss" />
<meta name="copyright" content="&copy; 2010 EE Collaborative Login Project http://www.webloginproject.com" />
<style type="text/css">
#details { font-family:Courier New; font-size:10pt; border:1px solid #000000; padding:10px; background-color:#FFE2C6; }
#message { font-size:10pt; padding:10px; background-color:#FFFFCC; border:1px solid #000000; }
#warning { font-size:10pt; font-weight:bold; padding:10px; background-color:#FFFFCC; color:#FF0000; border:1px solid #FF0000; }
</style>
</head>

<body>
<?PHP include "include/login-markup.php"; ?>
</body>
</html>

Open in new window

0
rdivilbissCommented:
Note the file in the above code block has several include statements at the top of the page and one include statement in the page body:

Your login page should have:

<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {
          session_start();
}

include "include/generalPurpose.php";
include "include/form_token.php";
include "include/loginGlobals.php";
include "include/database.php";
include "include/login.php";

//
any PHP code of yours here
?>

Note the last file included is unfortunately also called login.php, which may cause confusion.

Maybe a normal page from your web site looks similar to this (I'm sure it is different, just play along <grin>)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">

<head>
<title>HTML & DOM Tips And Tutorials</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>

<body>
<div id="topmenu">...</div>
<div id="banner">...</div>
<div id="mainmenu">...</div>
<div id="middle">
  <div id="content">
    <div id="main_content">...</div>
  </div> <!--content-->
</div> <!--nav-->
  <div id="right">...</div>
</div> <!--middle-->

</body>
</html>

We need to identify the location in your website's typical page where the main content appears.

In that portion of the web site, you would include the login form's markup like this:

<div id="main_content"><?PHP include "include/login-markup.php"; ?></div>

Leaving the rest of your page unchanged.  You would then save this merger between your website's typical page markup along with the included files taken from the example login.php page, and save it as login.php in the /login-system/ folder, replacing the example page.

The newly created login.php in /login-system/ is your login page.  The code you posted above is the login.php from the include folder which is not meant to be called on its own. It is but one of 6 files you have included in your own login.php page which lives in the /login-system/ folder above it.

If you have doubts about what to put where, just use a code block to post an example of one of your more typical web pages from your website and I'll put the include files in the correct place such that you would be able to see what you need to do for the other pages.

Regards,
Rod

0
rcowen00Author Commented:
Ok, so I don't have a current Login page of my own.  I'm sure there is a reason, but why can't I use the example login.php document?

By the way, I have included the connvars.php code you requested in an earlier post.
<?php
  //define database connection constants
  define ('db_host','xxxxx.db.xxxxxx.hostedresource.com');
  define ('db_user','xxxxx');
  define ('db_password','xxxxx');
  define ('db_name','xxxxxx');?>

Open in new window

0
rdivilbissCommented:
>is a reason, but why can't I use the example login.php document?

No.  It is ugly but functional.

Be sure to read the article at: http://www.experts-exchange.com/articles/Web_Development/Miscellaneous/A-Better-Website-Login-System-the-EE-Collaborative-Login-System.html

And its companion articles so you understand how to protect pages from users who have not authenticated.

0
rcowen00Author Commented:
Hi rdivilbiss,

I have included the code below from  login-system/include/login.php.  I can't determine where $dbResults (line 120)  is defined.  Could that be the problem with why I am getting the following error?  I have went back and downloaded the code again from the site to verify that I didn't accidentally remove it.  It doesn't appear to be defined?  Thanks again for all your assistance.

Fatal error: Call to undefined function li_checkForLocked() in /home/content/t/r/a/transconvalue/html/login_system/include/login.php on line 120.


<?PHP
/*******************************************************************************************************************
* Page Name: Login
* Last Modification: 19 APR 2010 rdivilbiss
* Version:  alpha 0.1a Debug Version
* On Entry: check for destination, $_SESSION["login"], and for SSL state
* Input   : userid, password
* Output  : message, possible logging of login
* On Exit : continuation link
******************************************************************************************************************/
header("Pragma: No-cache");
header("Cache-control: No-cache");
/*******************************************************************************************************************
* Declare all page variables and initialize their default values
*******************************************************************************************************************/

$dbMsg="";
$redirected="";
$destination="";
$password="";
$passhash="";
$userid="";
$useridValue="";
$name="";
$remember="";
$message= lg_term_please_login;
$ip = $_SERVER["REMOTE_ADDR"];
$date = dbNow();
$useragent = htmlentities(substr($_SERVER["HTTP_USER_AGENT"],1,255));
$locked="";

if ($_SERVER["REQUEST_METHOD"]!="POST") {
	if (lg_debug) { $dbMsg .= "METHOD GET<br />\n"; }
	/*******************************************************************************************************************
	* On entry determine if we have a destination page
	*******************************************************************************************************************/
	if (lg_debug) { $dbMsg .= "Checking for destination parameter <br />\n"; }
	$destination = getField("p,urlpath,get");
	if ($destination=="") {
		$destination = lg_success_page;
		if (lg_debug) { $dbMsg .= "Destination = ".$destination." <br />\n"; }
	}
	
	
	/*******************************************************************************************************************
	* If already logged on, redirect
	*******************************************************************************************************************/
	if (lg_debug) { $dbMsg .= "Checking for session login <br />\n"; }
	if (isset($_SESSION["login"])) {
		if ($_SESSION["login"]) {
			if (lg_debug) { $dbMsg .= "Session login = ".$_SESSION["login"]." <br />\n"; }
			if (lg_useSSL) {
				if (lg_debug) { $dbMsg .= "Use SSL is True <br />\n"; }
				header("Location: https://". lg_domain_secure . lg_loginPath . $destination);
			}else{
				if (lg_debug) { $dbMsg .= "Use SSL is False <br />\n"; }
				header("Location: http://". lg_domain . lg_loginPath . $destination);
			}
		}
	}
	
	/*******************************************************************************************************************
	* Is login state saved in the user's cookies? If so log user in
	*******************************************************************************************************************/
	if (lg_debug) { $dbMsg .= "Checking for cookie <br />\n"; }
	if (isset($_COOKIE["user"])) {
		/*******************************************************************************************************************
		* Is the userid or IP locked out?
		*******************************************************************************************************************/
		if (lg_debug) { $dbMsg .= "Has cookie but checking for loginAttempt lock out <br />\n"; }
		li_checkForLocked($ip,$_COOKIE["user"],$dbResults);
		if ($dbResults["locked"]==1) {
			header("Location: http://". lg_domain . lg_forbidden);
		}
		if (lg_debug) { $dbMsg .= "Has Cookie and not locked out <br />\n"; }
			
		/*******************************************************************************************************************
		* Lookup user's name and locked from users table
		*******************************************************************************************************************/
		if (lg_debug) { $dbMsg .= "Looking up name in database <br />\n"; }
		li_getName($_SESSION["userid"],$dbResults);
		
		$name = $dbResults["name"];
		if ($dbResults["locked"]==1) {
			header("Location: http://". lg_domain . lg_forbidden);
		}
		session_regenerate_id(true); // anti-session fixation
		$_SESSION["name"]=name;
		if (lg_debug) { $dbMsg .= "Name = ".$name." <br />\n"; }

		/*******************************************************************************************************************
		* Not locked out, login via cookie
		*******************************************************************************************************************/
		$_SESSION["login"]=true;
		$_SESSION["userid"]=$_COOKIE["user"];
		if (lg_debug) { $dbMsg .= "Session login set to True <br />\n"; }
		if (lg_debug) { $dbMsg .= "Session userid = ".$_SESSION["userid"]." <br />\n"; }
					
		/*******************************************************************************************************************
		* If we are logging user authentications, write to the logins table
		*******************************************************************************************************************/
		if (lg_log_logins) {
			if (lg_debug) { $dbMsg .= "Logging the Login <br />\n"; }
			if (lg_debug) { $dbMsg .= "date = ".$date." <br />\n"; }
			if (lg_debug) { $dbMsg .= "userid = ".$userid." <br />\n"; }
			if (lg_debug) { $dbMsg .= "ip = ".$ip." <br />\n"; }
			if (lg_debug) { $dbMsg .= "useragent = ".$useragent." <br />\n"; }
			li_logLogin($date,$userid,$ip,$useragent);
		}
		
		/*******************************************************************************************************************
		* Logged in, redirect
		*******************************************************************************************************************/
		if (lg_debug) { $dbMsg .= "Logged in redirecting to https://". lg_domain . lg_loginPath . $destination." <br />\n"; }
		header("Location: https://" . lg_domain . lg_loginPath . $destination);
	}else{
		/*******************************************************************************************************************
		* No cookie but IP could be locked out.
		*******************************************************************************************************************/
		li_checkForLocked($ip,'',$dbResults);
		if ($dbResults["locked"]==1) {
			header("Location: http://". lg_domain . lg_forbidden);
			exit();
		}
		/*******************************************************************************************************************
		* Not locked out but need to create loginAttempt record
		*******************************************************************************************************************/
		li_createLoginAttempt($date, $ip);
	
		/*******************************************************************************************************************
		* NOT LOGGED IN: If SSL required and not using SSL, redirect to https
		*******************************************************************************************************************/
		if ((lg_useSSL) && ($_SERVER["SERVER_PORT_SECURE"]=="0")) {
			if (lg_debug) { $dbMsg .= "Not logged in: redirected to https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
			header("Location: https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination);
		}
	}	
}else{
	/*******************************************************************************************************************
	* The form was posted, process the form
	*******************************************************************************************************************/
	if (lg_debug) { $dbMsg .= "POST - Process fields <br />\n"; }
	//checkToken();
	$message = "";
	$password = getField("password,safe");
	$userid = getField("userid,safe");
	$remember = getField("remember,alpha"); // Yes or empty
	$destination = getField("destination,urlpath");       // saved final destination
	if (lg_debug) { $dbMsg .= "POSTED password = ".$password." <br />\n"; }
	if (lg_debug) { $dbMsg .= "POSTED userid = ".$userid." <br />\n"; }
	if (lg_debug) { $dbMsg .= "POSTED remember = ".$remember." <br />\n"; }
	if ($userid=="") {
		$message .= lg_phrase_userid_empty . "<br />\n";
	}else{
		$useridValue = htmlentities($userid);
		if (lg_debug) { $dbMsg .= "htmlentities userid = ".$useridValue." <br />\n"; }
	}
	if ($password=="") {
		$message .= lg_phrase_password_empty . "<br />\n";
	}
	if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
	if ($message=="") {
		/*******************************************************************************************************************
		* If all required fields exist, attempt to autenticate the credentials
		*******************************************************************************************************************/
		if (lg_debug) { $dbMsg .= "Looking up login details from database <br />\n"; }
		li_getLoginDetails($userid, $dbResults);
		$passhash = $dbResults["password"];
		$name = $dbResults["name"];
		$locked = (string) $dbResults["locked"];
		if (lg_debug) { $dbMsg .= "Calculated Passhash = ".sha1($password . $userid)."<br />\n"; }
		if (lg_debug) { $dbMsg .= "Database Passhash   = ".$passhash." <br />\n"; }
		if (lg_debug) { $dbMsg .= "Name = ".$name." <br />\n"; }
		if (lg_debug) { $dbMsg .= "Locked = ".$locked." <br />\n"; }
		if ($locked!="1") {
			if (lg_debug) { $dbMsg .= "Account Not Locked <br />\n"; }
			if ($passhash==sha1($password . $userid)) {
				if (lg_debug) { $dbMsg .= "Passhash matches password <br />\n"; }
				/*******************************************************************************************************************
				* If credential are valid log the user in
				*******************************************************************************************************************/
				session_regenerate_id(true); // anti-session fixation
				$_SESSION["login"]=true;
				$_SESSION["userid"]=$userid;
				$_SESSION["name"]=$name;
				if (lg_debug) { $dbMsg .= "Session login set to True <br />\n"; }
				if (lg_debug) { $dbMsg .= "Session userid set to ".$userid." <br />\n"; }
				if (lg_debug) { $dbMsg .= "Session name set to ".$name." <br />\n"; }
				
				/*******************************************************************************************************************
				* If the user wishes to have authentication remembered, write the permanent cookies
				*******************************************************************************************************************/
				if (lg_debug) { $dbMsg .= "lg_term_remember = ".lg_term_remember." <br />\n"; }
				if (lg_debug) { $dbMsg .= "getField remember = ".getField("remember")." <br />\n"; }
				if ((lg_term_remember) AND (getField("remember")=="Yes")) {
					if (lg_debug) { $dbMsg .= "Setting cookie user <br />\n"; }
					setcookie("user", $value, time()+31536000); // 1 Year
				}
			
				/*******************************************************************************************************************
				* If we are logging user authentications, write to the logins table
				*******************************************************************************************************************/
				if (lg_log_logins) {
					if (lg_debug) { $dbMsg .= "Logging the Login <br />\n"; }
					if (lg_debug) { $dbMsg .= "date = ".$date." <br />\n"; }
					if (lg_debug) { $dbMsg .= "userid = ".$userid." <br />\n"; }
					if (lg_debug) { $dbMsg .= "ip = ".$ip." <br />\n"; }
					if (lg_debug) { $dbMsg .= "useragent = ".$useragent." <br />\n"; }
					li_logLogin($date,$userid,$ip,$useragent);
				}
				
				/*******************************************************************************************************************
				* Delete the login attempt record
				*******************************************************************************************************************/
				li_deleteLoginAttempt($pIp, $pUserid);
				
				/*******************************************************************************************************************
				* Logged in, redirect
				*******************************************************************************************************************/
				if (lg_debug) { $dbMsg .= "Logged In::Redirect <br />\n"; }
				if (lg_debug) { $dbMsg .= "Use SSL = ".lg_useSSL." <br />\n"; }
				if (lg_debug) { $dbMsg .= "Server Port Secure = ".$_SERVER["SERVER_PORT_SECURE"]." <br />\n"; }
				if ((lg_useSSL) && ($_SERVER["SERVER_PORT_SECURE"]=="0")) {
					if (lg_debug) { $dbMsg .= "REDIRECTING TO: https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
					header("Location: https://" . lg_domain . lg_loginPath . $destination);
				}else{
					if (lg_debug) { $dbMsg .= "REDIRECTING TO: http://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
					header("Location: http://" . lg_domain . lg_loginPath . $destination);
				}
			}else{
				$message = lg_phrase_login_error;
				if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
			}
		}else{
			$message = lg_phrase_login_error_token;
			if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
		}		
		
	}
	if ($message!="") { // failed login attempt for one of several reasons.
  		if (lg_debug) { $dbMsg .= "getLoginAttemptRecord: IP = ".$ip." UserId = ".$userid." <br />\n"; }
		li_getLoginAttemptRecord($ip, $userid, $dbResults);
		$id = $dbResults["id"];
		$laNumber = $dbResults["number"]+1;
		
		if (lg_debug) { $dbMsg .= "ID = ".$id."<br />\n"; }
		//if (lg_debug) { $dbMsg .= "db Number = ".$dbResults["number"]."<br />\n"; }
		if (lg_debug) { $dbMsg .= "iaNumber = ". $laNumber ."<br />\n"; }
		if ($laNumber >= lg_login_attempts) {
			/*******************************************************************************************************************
			* Lock the account and redirect to forbidden
			*******************************************************************************************************************/
			$locked = "1";
			li_lockLoginAttemtpt($locked,$laNumber,$id);
			if (lg_debug) { $dbMsg .= "Lock Login Attempt: ID = " . $id ." Number = ". $laNumber. " numAffected = ". $numAffected ."<br />\n"; }
			if (!lg_debug) { 
				header("Location: http://". lg_domain . lg_forbidden);
				exit();
			}	
		}else{	
		/*******************************************************************************************************************
		* Update the login attempt record
		*******************************************************************************************************************/
			li_updateLoginAttempt($userid, $laNumber, $date, $id);
			if (lg_debug) { $dbMsg .= "Updated Login Attempt: ID = " . $id ." Number = ". $laNumber . " numAffected = ".$numAffected ."<br />\n"; }
			//exit();
		}
	}	
}
?>

Open in new window

0
rdivilbissCommented:
$dbResults is a parameter to a database access layer function and is passed as an array parameter. It returns the query results as an array.

http://www.webloginproject.com/login-project/php/index.php has the latest code and all is working as it should.  The page you keep posting is an include file, and in the above site it exists in the /login-project/php/iniclude folder.

Go to http://code.google.com/p/loginsystem-rd/downloads/list and get          "Latest PHP code 28 APR 2010." (the top in the list.)

Save your loginGlobals.php someplace safe before copying into the site these latest files. (Especially if you don't have an English loginGlobals.)

Been debugging all day with another user and feel comfortable that this code is good.

I'm waiting to here how it runs on Linix/Apache, and I know there is a problem with PHP on MACs that we do not have a work around for. PHP on the MAC is not reporting an important $_SERVER[] variable which is used on every page.

There was an error in the previous code which directly affected Linux. That was fixed.

Sundry other bugs have been squashed today.

If you are executing the login.php page you keep posting without it being called from a parent page you are going to get all kinds of errors.  The one you report indicates to me that you are trying to execute the include file rather than calling it from a parent page.  The include file must be included in another page in the parent folder along with 5 other include files.  The parent page is also called  login.php but it is in the /login-system/ folder, not the /login-system/include/ folder.  When you report that a database function is undefined, that can only occur if you do not have the database.php include file being called.  The attached file is the login.php file you should try to open in a browser, not the code you posted above.

Is this an internal machine or do you have a public link?

If you still have a problem with errors, upload your loginGlobals.php in a code attachment.  Then in a second comment upload your parent login.php page, not the include login.php page you keep posting.

Rod




<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {
	session_start();
}

include "include/generalPurpose.php";
include "include/form_token.php";
include "include/loginGlobals.php";
include "include/database.php";
include "include/login.php";

// alpha 0.1b debug - 27 APR 2010

/* You should add
* header("Pragma: No-cache");
* header("Cache-control: No-cache");
* after all PHP generated output
*/
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<title><?PHP echo lg_term_login; ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="content-language" content="en-US" />
<meta name="language" content="en-US" />
<meta name="author" content="Roderick Divilbiss" />
<meta name="copyright" content="&copy; 2010 EE Collaborative Login Project http://www.webloginproject.com" />
<style type="text/css">
#details { font-family:Courier New; font-size:10pt; border:1px solid #000000; padding:10px; background-color:#FFE2C6; }
#message { font-size:10pt; padding:10px; background-color:#FFFFCC; border:1px solid #000000; }
#warning { font-size:10pt; font-weight:bold; padding:10px; background-color:#FFFFCC; color:#FF0000; border:1px solid #FF0000; }
</style>
</head>

<body>
<?PHP include "include/login-markup.php"; ?>
<?PHP if (lg_debug) { echo "<p>". $dbMsg . "</p>"; } ?>
</body>
</html>

Open in new window

0
rcowen00Author Commented:
Rod,

Thank you for your assistance, I promise not to load the include login.php page again:).  The problem I was having was because, I stupidly thought I could replace the database.php with my connvars.php thinking it was just the database connection information.  Yeah, I know, I didn't even look first.  So I have corrected that and actually have a login page loading when I open my site.  I am working on number one, any hint where to start on error number 2?  Again, thank you for your time and patience.

Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transconvalue/html/login_system/login.php:17) in /home/content/t/r/a/transconvalue/html/login_system/include/form_token.php on line 66

Fatal error: Call to undefined function com_create_guid() in /home/content/t/r/a/transconvalue/html/login_system/include/form_token.php on line 68
0
Shinesh PremrajanEngineering ManagerCommented:
In the file: form_token.php you have called a function com_create_guid()  which is not there in any of the include files, Just include the file where this function is defined.

Hope this helps
0
rcowen00Author Commented:
shinuq,

It is defined in "include/form_token.php" in line 8.
0
rdivilbissCommented:
You have an outdated file...sorry the project is moving quickly.

com_create_guid() is available only on Windows servers, the code should have getGUID() instead, but another important change was made to that file today or yesterday...its becoming a blur.

See attached.
<?PHP
/**
* Login System Form Token (anti-CSRF) Functions
* 27 APR 2010 Version alpha 0.1b debug
*/
if (!isset($_SESSION)) {
	session_start();
}

function generateToken(){
	/*****************************************************************************************
	* Create and set a new token for CSRF protection
	* on initial entry or after form errors and we are going to redisplay the form.
	******************************************************************************************/
	$salt="";
	$tokenStr="";
	$salt = sha1($_SERVER["HTTP_HOST"]);
	setcookie("token", "", time()-42000);
	$_SESSION["salt"]=$salt;
	$_SESSION["guid"] = getGUID();
	$_SESSION["ip"] = $_SERVER["REMOTE_ADDR"];
	$_SESSION["time"] = time();
	$tokenStr = "IP:" . $_SESSION["ip"] . ",SESSIONID:" . session_id() . ",GUID:" . $_SESSION["guid"];
	$_SESSION["token"]=sha1(($tokenStr&$_SESSION["salt"]).$_SESSION["salt"]);
	if (lg_debug) { $dbMsg .= "Form Token: " . $_SESSION["token"] . "<br />\n"; }
	if (setcookie("token", $_SESSION["token"], time()+86400)) {
		$_SESSION["usecookie"]=True;
		if (lg_debug) { $dbMsg .= "Form Token: Use Cookie = true<br />\n"; }	
	}
}


function checkToken() {
	/*****************************************************************************************
	* Check the posted token for correctness
	******************************************************************************************/
	$oldToken="";
	$testToken="";
	$tokenStr="";
	$page=$_SERVER["SCRIPT_NAME"];
	$oldToken=$_POST["token"];
	$tokenStr = "IP:" . $_SESSION["ip"] . ",SESSIONID:" . session_id() . ",GUID:" . $_SESSION["guid"];
	$testToken=sha1(($tokenStr&$_SESSION["salt"]).$_SESSION["salt"]);
	$checkToken=False;
	If ($oldToken===$testToken) {
	    $diff = time() - $_SESSION["time"]; 
		If ($diff<=300) { // Five minutes max
	    	If ($_SESSION["usecookie"]) {
			    If ($_COOKIE["token"]===$oldToken) {
			    	/*****************************************************************************************
					* Destroy the old form token, then
					* generate a new token for the form, which may or may not be needed. We want to do this
					* before headers are written. When writeToken() or writeTokenH() is called we are only 
					* writing the pre-generated token to the form. The cookie will have already been written.
					******************************************************************************************/
			    	if (lg_debug) { $dbMsg .= "In Form Token: checkToken: set old cookie to nothing<br />\n"; }
					setcookie("token", '', time()-42000);
					if (lg_debug) { $dbMsg .= "In Form Token: checkToken: NEW generateToken<br />\n"; }
					generateToken();
					return true;
				}else{
					$_SESSION = array();
		  			if (isset($_COOKIE[session_name()])) {
	    				setcookie(session_name(), '', time()-42000);
					}
					session_destroy();
					header("Location: http://". lg_domain . lg_loginPath . lg_form_error ."?p=" . $page . "&t=ec");
				}
			}else{	
	  			return True;
	  		}	
	  	}else{
	  		$_SESSION = array();
	  		if (isset($_COOKIE[session_name()])) {
    			setcookie(session_name(), '', time()-42000);
			}
			session_destroy();
			header("Location: http://". lg_domain . lg_loginPath . lg_form_error ."?p=" . $page . "&t=et");
		}
	}else{
		$_SESSION = array();
		if (isset($_COOKIE[session_name()])) {
    		setcookie(session_name(), '', time()-42000);
		}
		session_destroy();
		header("Location: http://". lg_domain . lg_loginPath . lg_form_error ."?p=" . $page . "&t=e");
	}
}


if ($_SERVER["REQUEST_METHOD"]=="GET") {
	/*****************************************************************************************
	* We need to generate the token (writing a cookie) before headers are written. When
	* writeToken() or writeTokenH() is called we are only writing the pre-generated token to
	* the form. The cookie has already been sent.
	******************************************************************************************/
	if (lg_debug) { $dbMsg .= "In Form Token: METHOD=GET: generateToken<br />\n"; }
	generateToken();
}

function writeToken() {	
	echo '<input id="token" name="token" type="hidden" accesskey="u" tabindex="999" value="' .$_SESSION['token']. '" />';
}

function writeTokenH() {
	echo '<input id="token" name="token" type="hidden" accesskey="u" tabindex="999" value="' .$_SESSION['token']. '">';
}
?>

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rdivilbissCommented:
getGUID() should be in generalPurpose.php in case you care.  If it can not get a true GUID using com_create_guid(), it generates a pseudo random GUID.

Also the salt was corrected to be different for every domain, and the page was generally improved.

A  potential headers already written error is now avoided as well.
0
rcowen00Author Commented:
Thank you!
0
rdivilbissCommented:
Well "true GUID" isn't a fair statement but the com_create_guid() is proven to be more random than the fall back.
0
rcowen00Author Commented:
rdivilbiss,

I am working through some errors and went to the site http://code.google.com/p/loginsystem-rd/downloads/list to verify that I have the most updated code for the error I'm getting and I don't see an English PHP 0.1b?   The download I have from Tues is ....PHP 0.1a?  Thank you.
0
rdivilbissCommented:
0
rdivilbissCommented:
http://www.webloginproject.com/login-project/php/index.php

has the latest files loaded. Testing indicates no apparent bugs, but we will only know for sure as it is integrated into other websites.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.