HTTP Authentication
Hi,
I am having a problem with my newly added authorization. I am asked to supply credentials to enter the site (which I want), but it appears to require me to supply them again sometime between line 24 to 44 (which I do not want). Also, when asked for the credentials a 2nd time it will not except the credentials entered. Any help would be appreciated. Thank you.
I am having a problem with my newly added authorization. I am asked to supply credentials to enter the site (which I want), but it appears to require me to supply them again sometime between line 24 to 44 (which I do not want). Also, when asked for the credentials a 2nd time it will not except the credentials entered. Any help would be appreciated. Thank you.
<?php
//authorization
require_once('authvars.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title>TCV Path</title>
<link href="tcvpath.css" rel="stylesheet" type="text/css">
</head>
<body>
<p><img src="transconlogo12-12_jkqn" alt="Transcontinental Valuations logo." height="80" width="396" /></p>
<?php
if(isset($_POST['submit'])){
$output_form=false;
if(empty($search_criteria)){
echo 'no TC number entered.<br />';
$output_form=true;
}
}
else {
$output_form=true;
}
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<?php
require_once('connvars.php');
$dbc=mysqli_connect(db_host,db_user,db_password,db_name)or die('Error connecting to MySQL server.');
$search_criteria=$_POST['searchcriteria'];
$query="Select * from job where tc_number='$search_criteria'";
$result=mysqli_query($dbc,$query) or die($query.mysql_error('query error'));
while ($row=mysqli_fetch_array($result)){
$row['job_id'];
$text = $row['tc_number'];
$link = 'propinsp.php?job_id='.$row['job_id'].'&tc_number='.$row['tc_number'].'&prop_addr_1='.$row['prop_addr_1'].'&prop_city=' . $row['prop_city'].'&prop_state=' . $row['prop_state'].'&prop_county='.$row['prop_county'].'&prop_zip='.$row['prop_zip'];
echo "<a href='$link'>$text</a>";
}
?>
</h4>
<div id="search">
Enter TC Number<input class="searchtext" id="searchcriteria" name="searchcriteria" value="" /><input class="headerSubmit" id="go" name="go" value="Go" type="submit" />
</div>
<div id="nav">
<ul id="headerNav">
<li><a href="manualentry.php" title="manualentry">Job Entry</a></li>
<li><a href="pending.php" title="Pending">Pending</a></li>
<li><a href="pendingreview.php" title="Pending">Pending Review</a></li>
<li><a href="completed.php" title="Completed">Completed</a></li>
<li><a href="supporttables.php" title="supporttables">Support Tables</a></li>
<li class="headerRight"><a href="/logout" title="Logout">Logout</a></li>
</ul>
</div>
</form>
</body>
</html>
Don't reinvent the wheel. https://www.experts-exchange.com/articles/Web_Development/Miscellaneous/A-Better-Website-Login-System-the-EE-Collaborative-Login-System.html
Also you have unfiltered input on line 33: $search_criteria=$_POST['s
which opens you to a SQL injection on line 34.
Regards,
Rod
Also you have unfiltered input on line 33: $search_criteria=$_POST['s
which opens you to a SQL injection on line 34.
Regards,
Rod
ASKER
rdivilbiss,
Thanks for the recommendation for the login system. I have been working on getting it up and running. I have been successful in working through some errors I am getting, but these final three have me stumped. Any suggestions? I have included the login.php.
Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transc
Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transc
Fatal error: Call to undefined function li_checkForLocked() in /home/content/t/r/a/transc
Thanks for the recommendation for the login system. I have been working on getting it up and running. I have been successful in working through some errors I am getting, but these final three have me stumped. Any suggestions? I have included the login.php.
Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transc
Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transc
Fatal error: Call to undefined function li_checkForLocked() in /home/content/t/r/a/transc
<?PHP
/*******************************************************************************************************************
* Page Name: Login
* Last Modification: 19 APR 2010 rdivilbiss
* Version: alpha 0.1a Debug Version
* On Entry: check for destination, $_SESSION["login"], and for SSL state
* Input : userid, password
* Output : message, possible logging of login
* On Exit : continuation link
******************************************************************************************************************/
header("Pragma: No-cache");
header("Cache-control: No-cache");
/*******************************************************************************************************************
* Declare all page variables and initialize their default values
*******************************************************************************************************************/
$dbMsg="";
$redirected="";
$destination="";
$password="";
$passhash="";
$userid="";
$useridValue="";
$name="";
$remember="";
$message= lg_term_please_login;
$ip = $_SERVER["REMOTE_ADDR"];
$date = dbNow();
$useragent = htmlentities(substr($_SERVER["HTTP_USER_AGENT"],1,255));
$locked="";
if ($_SERVER["REQUEST_METHOD"]!="POST") {
if (lg_debug) { $dbMsg .= "METHOD GET<br />\n"; }
/*******************************************************************************************************************
* On entry determine if we have a destination page
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Checking for destination parameter <br />\n"; }
$destination = getField("p,urlpath,get");
if ($destination=="") {
$destination = lg_success_page;
if (lg_debug) { $dbMsg .= "Destination = ".$destination." <br />\n"; }
}
/*******************************************************************************************************************
* If already logged on, redirect
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Checking for session login <br />\n"; }
if (isset($_SESSION["login"])) {
if ($_SESSION["login"]) {
if (lg_debug) { $dbMsg .= "Session login = ".$_SESSION["login"]." <br />\n"; }
if (lg_useSSL) {
if (lg_debug) { $dbMsg .= "Use SSL is True <br />\n"; }
header("Location: https://". lg_domain_secure . lg_loginPath . $destination);
}else{
if (lg_debug) { $dbMsg .= "Use SSL is False <br />\n"; }
header("Location: http://". lg_domain . lg_loginPath . $destination);
}
}
}
/*******************************************************************************************************************
* Is login state saved in the user's cookies? If so log user in
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Checking for cookie <br />\n"; }
if (isset($_COOKIE["user"])) {
/*******************************************************************************************************************
* Is the userid or IP locked out?
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Has cookie but checking for loginAttempt lock out <br />\n"; }
li_checkForLocked($ip,$_COOKIE["user"],$dbResults);
if ($dbResults["locked"]==1) {
header("Location: http://". lg_domain . lg_forbidden);
}
if (lg_debug) { $dbMsg .= "Has Cookie and not locked out <br />\n"; }
/*******************************************************************************************************************
* Lookup user's name and locked from users table
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Looking up name in database <br />\n"; }
li_getName($_SESSION["userid"],$dbResults);
$name = $dbResults["name"];
if ($dbResults["locked"]==1) {
header("Location: http://". lg_domain . lg_forbidden);
}
session_regenerate_id(true); // anti-session fixation
$_SESSION["name"]=name;
if (lg_debug) { $dbMsg .= "Name = ".$name." <br />\n"; }
/*******************************************************************************************************************
* Not locked out, login via cookie
*******************************************************************************************************************/
$_SESSION["login"]=true;
$_SESSION["userid"]=$_COOKIE["user"];
if (lg_debug) { $dbMsg .= "Session login set to True <br />\n"; }
if (lg_debug) { $dbMsg .= "Session userid = ".$_SESSION["userid"]." <br />\n"; }
/*******************************************************************************************************************
* If we are logging user authentications, write to the logins table
*******************************************************************************************************************/
if (lg_log_logins) {
if (lg_debug) { $dbMsg .= "Logging the Login <br />\n"; }
if (lg_debug) { $dbMsg .= "date = ".$date." <br />\n"; }
if (lg_debug) { $dbMsg .= "userid = ".$userid." <br />\n"; }
if (lg_debug) { $dbMsg .= "ip = ".$ip." <br />\n"; }
if (lg_debug) { $dbMsg .= "useragent = ".$useragent." <br />\n"; }
li_logLogin($date,$userid,$ip,$useragent);
}
/*******************************************************************************************************************
* Logged in, redirect
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Logged in redirecting to https://". lg_domain . lg_loginPath . $destination." <br />\n"; }
header("Location: https://" . lg_domain . lg_loginPath . $destination);
}else{
/*******************************************************************************************************************
* No cookie but IP could be locked out.
*******************************************************************************************************************/
li_checkForLocked($ip,'',$dbResults);
if ($dbResults["locked"]==1) {
header("Location: http://". lg_domain . lg_forbidden);
exit();
}
/*******************************************************************************************************************
* Not locked out but need to create loginAttempt record
*******************************************************************************************************************/
li_createLoginAttempt($date, $ip);
/*******************************************************************************************************************
* NOT LOGGED IN: If SSL required and not using SSL, redirect to https
*******************************************************************************************************************/
if ((lg_useSSL) && ($_SERVER["SERVER_PORT_SECURE"]=="0")) {
if (lg_debug) { $dbMsg .= "Not logged in: redirected to https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
header("Location: https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination);
}
}
}else{
/*******************************************************************************************************************
* The form was posted, process the form
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "POST - Process fields <br />\n"; }
//checkToken();
$message = "";
$password = getField("password,safe");
$userid = getField("userid,safe");
$remember = getField("remember,alpha"); // Yes or empty
$destination = getField("destination,urlpath"); // saved final destination
if (lg_debug) { $dbMsg .= "POSTED password = ".$password." <br />\n"; }
if (lg_debug) { $dbMsg .= "POSTED userid = ".$userid." <br />\n"; }
if (lg_debug) { $dbMsg .= "POSTED remember = ".$remember." <br />\n"; }
if ($userid=="") {
$message .= lg_phrase_userid_empty . "<br />\n";
}else{
$useridValue = htmlentities($userid);
if (lg_debug) { $dbMsg .= "htmlentities userid = ".$useridValue." <br />\n"; }
}
if ($password=="") {
$message .= lg_phrase_password_empty . "<br />\n";
}
if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
if ($message=="") {
/*******************************************************************************************************************
* If all required fields exist, attempt to autenticate the credentials
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Looking up login details from database <br />\n"; }
li_getLoginDetails($userid, $dbResults);
$passhash = $dbResults["password"];
$name = $dbResults["name"];
$locked = (string) $dbResults["locked"];
if (lg_debug) { $dbMsg .= "Calculated Passhash = ".sha1($password . $userid)."<br />\n"; }
if (lg_debug) { $dbMsg .= "Database Passhash = ".$passhash." <br />\n"; }
if (lg_debug) { $dbMsg .= "Name = ".$name." <br />\n"; }
if (lg_debug) { $dbMsg .= "Locked = ".$locked." <br />\n"; }
if ($locked!="1") {
if (lg_debug) { $dbMsg .= "Account Not Locked <br />\n"; }
if ($passhash==sha1($password . $userid)) {
if (lg_debug) { $dbMsg .= "Passhash matches password <br />\n"; }
/*******************************************************************************************************************
* If credential are valid log the user in
*******************************************************************************************************************/
session_regenerate_id(true); // anti-session fixation
$_SESSION["login"]=true;
$_SESSION["userid"]=$userid;
$_SESSION["name"]=$name;
if (lg_debug) { $dbMsg .= "Session login set to True <br />\n"; }
if (lg_debug) { $dbMsg .= "Session userid set to ".$userid." <br />\n"; }
if (lg_debug) { $dbMsg .= "Session name set to ".$name." <br />\n"; }
/*******************************************************************************************************************
* If the user wishes to have authentication remembered, write the permanent cookies
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "lg_term_remember = ".lg_term_remember." <br />\n"; }
if (lg_debug) { $dbMsg .= "getField remember = ".getField("remember")." <br />\n"; }
if ((lg_term_remember) AND (getField("remember")=="Yes")) {
if (lg_debug) { $dbMsg .= "Setting cookie user <br />\n"; }
setcookie("user", $value, time()+31536000); // 1 Year
}
/*******************************************************************************************************************
* If we are logging user authentications, write to the logins table
*******************************************************************************************************************/
if (lg_log_logins) {
if (lg_debug) { $dbMsg .= "Logging the Login <br />\n"; }
if (lg_debug) { $dbMsg .= "date = ".$date." <br />\n"; }
if (lg_debug) { $dbMsg .= "userid = ".$userid." <br />\n"; }
if (lg_debug) { $dbMsg .= "ip = ".$ip." <br />\n"; }
if (lg_debug) { $dbMsg .= "useragent = ".$useragent." <br />\n"; }
li_logLogin($date,$userid,$ip,$useragent);
}
/*******************************************************************************************************************
* Delete the login attempt record
*******************************************************************************************************************/
li_deleteLoginAttempt($pIp, $pUserid);
/*******************************************************************************************************************
* Logged in, redirect
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Logged In::Redirect <br />\n"; }
if (lg_debug) { $dbMsg .= "Use SSL = ".lg_useSSL." <br />\n"; }
if (lg_debug) { $dbMsg .= "Server Port Secure = ".$_SERVER["SERVER_PORT_SECURE"]." <br />\n"; }
if ((lg_useSSL) && ($_SERVER["SERVER_PORT_SECURE"]=="0")) {
if (lg_debug) { $dbMsg .= "REDIRECTING TO: https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
header("Location: https://" . lg_domain . lg_loginPath . $destination);
}else{
if (lg_debug) { $dbMsg .= "REDIRECTING TO: http://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
header("Location: http://" . lg_domain . lg_loginPath . $destination);
}
}else{
$message = lg_phrase_login_error;
if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
}
}else{
$message = lg_phrase_login_error_token;
if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
}
}
if ($message!="") { // failed login attempt for one of several reasons.
if (lg_debug) { $dbMsg .= "getLoginAttemptRecord: IP = ".$ip." UserId = ".$userid." <br />\n"; }
li_getLoginAttemptRecord($ip, $userid, $dbResults);
$id = $dbResults["id"];
$laNumber = $dbResults["number"]+1;
if (lg_debug) { $dbMsg .= "ID = ".$id."<br />\n"; }
//if (lg_debug) { $dbMsg .= "db Number = ".$dbResults["number"]."<br />\n"; }
if (lg_debug) { $dbMsg .= "iaNumber = ". $laNumber ."<br />\n"; }
if ($laNumber >= lg_login_attempts) {
/*******************************************************************************************************************
* Lock the account and redirect to forbidden
*******************************************************************************************************************/
$locked = "1";
li_lockLoginAttemtpt($locked,$laNumber,$id);
if (lg_debug) { $dbMsg .= "Lock Login Attempt: ID = " . $id ." Number = ". $laNumber. " numAffected = ". $numAffected ."<br />\n"; }
if (!lg_debug) {
header("Location: http://". lg_domain . lg_forbidden);
exit();
}
}else{
/*******************************************************************************************************************
* Update the login attempt record
*******************************************************************************************************************/
li_updateLoginAttempt($userid, $laNumber, $date, $id);
if (lg_debug) { $dbMsg .= "Updated Login Attempt: ID = " . $id ." Number = ". $laNumber . " numAffected = ".$numAffected ."<br />\n"; }
//exit();
}
}
}
?>
Your page is doing some sort of output before the login.php is, and there is a database access error. What is the code in connvars.php?
Login.php would be an include on YOUR login page. Can you post the code for that page.
It should have the code in the following attachment.
Regards,
Rod
Login.php would be an include on YOUR login page. Can you post the code for that page.
It should have the code in the following attachment.
Regards,
Rod
<?php
// close to the top of the page
include "include/generalPurpose.php";
include "include/form_token.php";
include "include/loginGlobals.php";
include "include/database.php"; <-- this page has the li_checkForLocked() function
include "include/login.php"; // <-- this page would not be called alone
?>
<!-- somewhere in the body -->
<?PHP include "include/login-markup.php"; ?>
Login.php is the only confusing page. In the example pages you downloaded, the pages in the /login-system/ folder contains a login.php which is an example of what you need to include in your page.
Unfortunately, in the include folder is also a login.php page, so that part could cause confusion.
/login-system/include/logi
/login-system/login.php
Also, being a often implemented quickly changing set of code, we are now at alpha 0.1b, which is newer than your download (not that I think any changes have anything to do with your errors.)
R
Unfortunately, in the include folder is also a login.php page, so that part could cause confusion.
/login-system/include/logi
/login-system/login.php
Also, being a often implemented quickly changing set of code, we are now at alpha 0.1b, which is newer than your download (not that I think any changes have anything to do with your errors.)
R
ASKER
Just to clarify, /login-system/login.php is the example and /login-system/include/logi
You need to search for the function li_checkForLocked() then include the file name in the login.php file.
Hope this helps
Hope this helps
@shinuq, Your information is incorrect. I can be quite positive as I wrote most of the code.
There is (as per the code distribution) a login.php in the top level folder, which is /login-system/ and in the /login-system/include/ folder there are the login.php and login-markup.php files.
The login.php file in the /login-system/ folder is meant to be replaced with a file that has your websites markup AND includes some additional files from the /login-system/include/ folder.
The example page in the code package in the /login-system/ folder should be what is attached in the following code block. (another comment will follow)
There is (as per the code distribution) a login.php in the top level folder, which is /login-system/ and in the /login-system/include/ folder there are the login.php and login-markup.php files.
The login.php file in the /login-system/ folder is meant to be replaced with a file that has your websites markup AND includes some additional files from the /login-system/include/ folder.
The example page in the code package in the /login-system/ folder should be what is attached in the following code block. (another comment will follow)
<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {
session_start();
}
include "include/generalPurpose.php";
include "include/form_token.php";
include "include/loginGlobals.php";
include "include/database.php";
include "include/login.php";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title><?PHP echo lg_term_login?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="content-language" content="en-US" />
<meta name="language" content="en-US" />
<meta name="author" content="Roderick Divilbiss" />
<meta name="copyright" content="© 2010 EE Collaborative Login Project http://www.webloginproject.com" />
<style type="text/css">
#details { font-family:Courier New; font-size:10pt; border:1px solid #000000; padding:10px; background-color:#FFE2C6; }
#message { font-size:10pt; padding:10px; background-color:#FFFFCC; border:1px solid #000000; }
#warning { font-size:10pt; font-weight:bold; padding:10px; background-color:#FFFFCC; color:#FF0000; border:1px solid #FF0000; }
</style>
</head>
<body>
<?PHP include "include/login-markup.php"; ?>
</body>
</html>
Note the file in the above code block has several include statements at the top of the page and one include statement in the page body:
Your login page should have:
<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {
session_start();
}
include "include/generalPurpose.ph
include "include/form_token.php";
include "include/loginGlobals.php"
include "include/database.php";
include "include/login.php";
// any PHP code of yours here
?>
Note the last file included is unfortunately also called login.php, which may cause confusion.
Maybe a normal page from your web site looks similar to this (I'm sure it is different, just play along <grin>)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4
<html lang="en">
<head>
<title>HTML & DOM Tips And Tutorials</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div id="topmenu">...</div>
<div id="banner">...</div>
<div id="mainmenu">...</div>
<div id="middle">
<div id="content">
<div id="main_content">...</div
</div> <!--content-->
</div> <!--nav-->
<div id="right">...</div>
</div> <!--middle-->
</body>
</html>
We need to identify the location in your website's typical page where the main content appears.
In that portion of the web site, you would include the login form's markup like this:
<div id="main_content"><?PHP include "include/login-markup.php"
Leaving the rest of your page unchanged. You would then save this merger between your website's typical page markup along with the included files taken from the example login.php page, and save it as login.php in the /login-system/ folder, replacing the example page.
The newly created login.php in /login-system/ is your login page. The code you posted above is the login.php from the include folder which is not meant to be called on its own. It is but one of 6 files you have included in your own login.php page which lives in the /login-system/ folder above it.
If you have doubts about what to put where, just use a code block to post an example of one of your more typical web pages from your website and I'll put the include files in the correct place such that you would be able to see what you need to do for the other pages.
Regards,
Rod
Your login page should have:
<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {
session_start();
}
include "include/generalPurpose.ph
include "include/form_token.php";
include "include/loginGlobals.php"
include "include/database.php";
include "include/login.php";
// any PHP code of yours here
?>
Note the last file included is unfortunately also called login.php, which may cause confusion.
Maybe a normal page from your web site looks similar to this (I'm sure it is different, just play along <grin>)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4
<html lang="en">
<head>
<title>HTML & DOM Tips And Tutorials</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div id="topmenu">...</div>
<div id="banner">...</div>
<div id="mainmenu">...</div>
<div id="middle">
<div id="content">
<div id="main_content">...</div
</div> <!--content-->
</div> <!--nav-->
<div id="right">...</div>
</div> <!--middle-->
</body>
</html>
We need to identify the location in your website's typical page where the main content appears.
In that portion of the web site, you would include the login form's markup like this:
<div id="main_content"><?PHP include "include/login-markup.php"
Leaving the rest of your page unchanged. You would then save this merger between your website's typical page markup along with the included files taken from the example login.php page, and save it as login.php in the /login-system/ folder, replacing the example page.
The newly created login.php in /login-system/ is your login page. The code you posted above is the login.php from the include folder which is not meant to be called on its own. It is but one of 6 files you have included in your own login.php page which lives in the /login-system/ folder above it.
If you have doubts about what to put where, just use a code block to post an example of one of your more typical web pages from your website and I'll put the include files in the correct place such that you would be able to see what you need to do for the other pages.
Regards,
Rod
ASKER
Ok, so I don't have a current Login page of my own. I'm sure there is a reason, but why can't I use the example login.php document?
By the way, I have included the connvars.php code you requested in an earlier post.
By the way, I have included the connvars.php code you requested in an earlier post.
<?php
//define database connection constants
define ('db_host','xxxxx.db.xxxxxx.hostedresource.com');
define ('db_user','xxxxx');
define ('db_password','xxxxx');
define ('db_name','xxxxxx');?>
>is a reason, but why can't I use the example login.php document?
No. It is ugly but functional.
Be sure to read the article at: https://www.experts-exchange.com/articles/Web_Development/Miscellaneous/A-Better-Website-Login-System-the-EE-Collaborative-Login-System.html
And its companion articles so you understand how to protect pages from users who have not authenticated.
No. It is ugly but functional.
Be sure to read the article at: https://www.experts-exchange.com/articles/Web_Development/Miscellaneous/A-Better-Website-Login-System-the-EE-Collaborative-Login-System.html
And its companion articles so you understand how to protect pages from users who have not authenticated.
ASKER
Hi rdivilbiss,
I have included the code below from login-system/include/login
Fatal error: Call to undefined function li_checkForLocked() in /home/content/t/r/a/transc
I have included the code below from login-system/include/login
Fatal error: Call to undefined function li_checkForLocked() in /home/content/t/r/a/transc
<?PHP
/*******************************************************************************************************************
* Page Name: Login
* Last Modification: 19 APR 2010 rdivilbiss
* Version: alpha 0.1a Debug Version
* On Entry: check for destination, $_SESSION["login"], and for SSL state
* Input : userid, password
* Output : message, possible logging of login
* On Exit : continuation link
******************************************************************************************************************/
header("Pragma: No-cache");
header("Cache-control: No-cache");
/*******************************************************************************************************************
* Declare all page variables and initialize their default values
*******************************************************************************************************************/
$dbMsg="";
$redirected="";
$destination="";
$password="";
$passhash="";
$userid="";
$useridValue="";
$name="";
$remember="";
$message= lg_term_please_login;
$ip = $_SERVER["REMOTE_ADDR"];
$date = dbNow();
$useragent = htmlentities(substr($_SERVER["HTTP_USER_AGENT"],1,255));
$locked="";
if ($_SERVER["REQUEST_METHOD"]!="POST") {
if (lg_debug) { $dbMsg .= "METHOD GET<br />\n"; }
/*******************************************************************************************************************
* On entry determine if we have a destination page
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Checking for destination parameter <br />\n"; }
$destination = getField("p,urlpath,get");
if ($destination=="") {
$destination = lg_success_page;
if (lg_debug) { $dbMsg .= "Destination = ".$destination." <br />\n"; }
}
/*******************************************************************************************************************
* If already logged on, redirect
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Checking for session login <br />\n"; }
if (isset($_SESSION["login"])) {
if ($_SESSION["login"]) {
if (lg_debug) { $dbMsg .= "Session login = ".$_SESSION["login"]." <br />\n"; }
if (lg_useSSL) {
if (lg_debug) { $dbMsg .= "Use SSL is True <br />\n"; }
header("Location: https://". lg_domain_secure . lg_loginPath . $destination);
}else{
if (lg_debug) { $dbMsg .= "Use SSL is False <br />\n"; }
header("Location: http://". lg_domain . lg_loginPath . $destination);
}
}
}
/*******************************************************************************************************************
* Is login state saved in the user's cookies? If so log user in
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Checking for cookie <br />\n"; }
if (isset($_COOKIE["user"])) {
/*******************************************************************************************************************
* Is the userid or IP locked out?
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Has cookie but checking for loginAttempt lock out <br />\n"; }
li_checkForLocked($ip,$_COOKIE["user"],$dbResults);
if ($dbResults["locked"]==1) {
header("Location: http://". lg_domain . lg_forbidden);
}
if (lg_debug) { $dbMsg .= "Has Cookie and not locked out <br />\n"; }
/*******************************************************************************************************************
* Lookup user's name and locked from users table
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Looking up name in database <br />\n"; }
li_getName($_SESSION["userid"],$dbResults);
$name = $dbResults["name"];
if ($dbResults["locked"]==1) {
header("Location: http://". lg_domain . lg_forbidden);
}
session_regenerate_id(true); // anti-session fixation
$_SESSION["name"]=name;
if (lg_debug) { $dbMsg .= "Name = ".$name." <br />\n"; }
/*******************************************************************************************************************
* Not locked out, login via cookie
*******************************************************************************************************************/
$_SESSION["login"]=true;
$_SESSION["userid"]=$_COOKIE["user"];
if (lg_debug) { $dbMsg .= "Session login set to True <br />\n"; }
if (lg_debug) { $dbMsg .= "Session userid = ".$_SESSION["userid"]." <br />\n"; }
/*******************************************************************************************************************
* If we are logging user authentications, write to the logins table
*******************************************************************************************************************/
if (lg_log_logins) {
if (lg_debug) { $dbMsg .= "Logging the Login <br />\n"; }
if (lg_debug) { $dbMsg .= "date = ".$date." <br />\n"; }
if (lg_debug) { $dbMsg .= "userid = ".$userid." <br />\n"; }
if (lg_debug) { $dbMsg .= "ip = ".$ip." <br />\n"; }
if (lg_debug) { $dbMsg .= "useragent = ".$useragent." <br />\n"; }
li_logLogin($date,$userid,$ip,$useragent);
}
/*******************************************************************************************************************
* Logged in, redirect
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Logged in redirecting to https://". lg_domain . lg_loginPath . $destination." <br />\n"; }
header("Location: https://" . lg_domain . lg_loginPath . $destination);
}else{
/*******************************************************************************************************************
* No cookie but IP could be locked out.
*******************************************************************************************************************/
li_checkForLocked($ip,'',$dbResults);
if ($dbResults["locked"]==1) {
header("Location: http://". lg_domain . lg_forbidden);
exit();
}
/*******************************************************************************************************************
* Not locked out but need to create loginAttempt record
*******************************************************************************************************************/
li_createLoginAttempt($date, $ip);
/*******************************************************************************************************************
* NOT LOGGED IN: If SSL required and not using SSL, redirect to https
*******************************************************************************************************************/
if ((lg_useSSL) && ($_SERVER["SERVER_PORT_SECURE"]=="0")) {
if (lg_debug) { $dbMsg .= "Not logged in: redirected to https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
header("Location: https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination);
}
}
}else{
/*******************************************************************************************************************
* The form was posted, process the form
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "POST - Process fields <br />\n"; }
//checkToken();
$message = "";
$password = getField("password,safe");
$userid = getField("userid,safe");
$remember = getField("remember,alpha"); // Yes or empty
$destination = getField("destination,urlpath"); // saved final destination
if (lg_debug) { $dbMsg .= "POSTED password = ".$password." <br />\n"; }
if (lg_debug) { $dbMsg .= "POSTED userid = ".$userid." <br />\n"; }
if (lg_debug) { $dbMsg .= "POSTED remember = ".$remember." <br />\n"; }
if ($userid=="") {
$message .= lg_phrase_userid_empty . "<br />\n";
}else{
$useridValue = htmlentities($userid);
if (lg_debug) { $dbMsg .= "htmlentities userid = ".$useridValue." <br />\n"; }
}
if ($password=="") {
$message .= lg_phrase_password_empty . "<br />\n";
}
if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
if ($message=="") {
/*******************************************************************************************************************
* If all required fields exist, attempt to autenticate the credentials
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Looking up login details from database <br />\n"; }
li_getLoginDetails($userid, $dbResults);
$passhash = $dbResults["password"];
$name = $dbResults["name"];
$locked = (string) $dbResults["locked"];
if (lg_debug) { $dbMsg .= "Calculated Passhash = ".sha1($password . $userid)."<br />\n"; }
if (lg_debug) { $dbMsg .= "Database Passhash = ".$passhash." <br />\n"; }
if (lg_debug) { $dbMsg .= "Name = ".$name." <br />\n"; }
if (lg_debug) { $dbMsg .= "Locked = ".$locked." <br />\n"; }
if ($locked!="1") {
if (lg_debug) { $dbMsg .= "Account Not Locked <br />\n"; }
if ($passhash==sha1($password . $userid)) {
if (lg_debug) { $dbMsg .= "Passhash matches password <br />\n"; }
/*******************************************************************************************************************
* If credential are valid log the user in
*******************************************************************************************************************/
session_regenerate_id(true); // anti-session fixation
$_SESSION["login"]=true;
$_SESSION["userid"]=$userid;
$_SESSION["name"]=$name;
if (lg_debug) { $dbMsg .= "Session login set to True <br />\n"; }
if (lg_debug) { $dbMsg .= "Session userid set to ".$userid." <br />\n"; }
if (lg_debug) { $dbMsg .= "Session name set to ".$name." <br />\n"; }
/*******************************************************************************************************************
* If the user wishes to have authentication remembered, write the permanent cookies
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "lg_term_remember = ".lg_term_remember." <br />\n"; }
if (lg_debug) { $dbMsg .= "getField remember = ".getField("remember")." <br />\n"; }
if ((lg_term_remember) AND (getField("remember")=="Yes")) {
if (lg_debug) { $dbMsg .= "Setting cookie user <br />\n"; }
setcookie("user", $value, time()+31536000); // 1 Year
}
/*******************************************************************************************************************
* If we are logging user authentications, write to the logins table
*******************************************************************************************************************/
if (lg_log_logins) {
if (lg_debug) { $dbMsg .= "Logging the Login <br />\n"; }
if (lg_debug) { $dbMsg .= "date = ".$date." <br />\n"; }
if (lg_debug) { $dbMsg .= "userid = ".$userid." <br />\n"; }
if (lg_debug) { $dbMsg .= "ip = ".$ip." <br />\n"; }
if (lg_debug) { $dbMsg .= "useragent = ".$useragent." <br />\n"; }
li_logLogin($date,$userid,$ip,$useragent);
}
/*******************************************************************************************************************
* Delete the login attempt record
*******************************************************************************************************************/
li_deleteLoginAttempt($pIp, $pUserid);
/*******************************************************************************************************************
* Logged in, redirect
*******************************************************************************************************************/
if (lg_debug) { $dbMsg .= "Logged In::Redirect <br />\n"; }
if (lg_debug) { $dbMsg .= "Use SSL = ".lg_useSSL." <br />\n"; }
if (lg_debug) { $dbMsg .= "Server Port Secure = ".$_SERVER["SERVER_PORT_SECURE"]." <br />\n"; }
if ((lg_useSSL) && ($_SERVER["SERVER_PORT_SECURE"]=="0")) {
if (lg_debug) { $dbMsg .= "REDIRECTING TO: https://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
header("Location: https://" . lg_domain . lg_loginPath . $destination);
}else{
if (lg_debug) { $dbMsg .= "REDIRECTING TO: http://" . lg_domain . lg_loginPath . $lg_filename ."?p=". $destination." <br />\n"; }
header("Location: http://" . lg_domain . lg_loginPath . $destination);
}
}else{
$message = lg_phrase_login_error;
if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
}
}else{
$message = lg_phrase_login_error_token;
if (lg_debug) { $dbMsg .= "Message = ".$message." <br />\n"; }
}
}
if ($message!="") { // failed login attempt for one of several reasons.
if (lg_debug) { $dbMsg .= "getLoginAttemptRecord: IP = ".$ip." UserId = ".$userid." <br />\n"; }
li_getLoginAttemptRecord($ip, $userid, $dbResults);
$id = $dbResults["id"];
$laNumber = $dbResults["number"]+1;
if (lg_debug) { $dbMsg .= "ID = ".$id."<br />\n"; }
//if (lg_debug) { $dbMsg .= "db Number = ".$dbResults["number"]."<br />\n"; }
if (lg_debug) { $dbMsg .= "iaNumber = ". $laNumber ."<br />\n"; }
if ($laNumber >= lg_login_attempts) {
/*******************************************************************************************************************
* Lock the account and redirect to forbidden
*******************************************************************************************************************/
$locked = "1";
li_lockLoginAttemtpt($locked,$laNumber,$id);
if (lg_debug) { $dbMsg .= "Lock Login Attempt: ID = " . $id ." Number = ". $laNumber. " numAffected = ". $numAffected ."<br />\n"; }
if (!lg_debug) {
header("Location: http://". lg_domain . lg_forbidden);
exit();
}
}else{
/*******************************************************************************************************************
* Update the login attempt record
*******************************************************************************************************************/
li_updateLoginAttempt($userid, $laNumber, $date, $id);
if (lg_debug) { $dbMsg .= "Updated Login Attempt: ID = " . $id ." Number = ". $laNumber . " numAffected = ".$numAffected ."<br />\n"; }
//exit();
}
}
}
?>
$dbResults is a parameter to a database access layer function and is passed as an array parameter. It returns the query results as an array.
http://www.webloginproject.com/login-project/php/index.php has the latest code and all is working as it should. The page you keep posting is an include file, and in the above site it exists in the /login-project/php/iniclud
Go to http://code.google.com/p/loginsystem-rd/downloads/list and get "Latest PHP code 28 APR 2010." (the top in the list.)
Save your loginGlobals.php someplace safe before copying into the site these latest files. (Especially if you don't have an English loginGlobals.)
Been debugging all day with another user and feel comfortable that this code is good.
I'm waiting to here how it runs on Linix/Apache, and I know there is a problem with PHP on MACs that we do not have a work around for. PHP on the MAC is not reporting an important $_SERVER[] variable which is used on every page.
There was an error in the previous code which directly affected Linux. That was fixed.
Sundry other bugs have been squashed today.
If you are executing the login.php page you keep posting without it being called from a parent page you are going to get all kinds of errors. The one you report indicates to me that you are trying to execute the include file rather than calling it from a parent page. The include file must be included in another page in the parent folder along with 5 other include files. The parent page is also called login.php but it is in the /login-system/ folder, not the /login-system/include/ folder. When you report that a database function is undefined, that can only occur if you do not have the database.php include file being called. The attached file is the login.php file you should try to open in a browser, not the code you posted above.
Is this an internal machine or do you have a public link?
If you still have a problem with errors, upload your loginGlobals.php in a code attachment. Then in a second comment upload your parent login.php page, not the include login.php page you keep posting.
Rod
http://www.webloginproject.com/login-project/php/index.php has the latest code and all is working as it should. The page you keep posting is an include file, and in the above site it exists in the /login-project/php/iniclud
Go to http://code.google.com/p/loginsystem-rd/downloads/list and get "Latest PHP code 28 APR 2010." (the top in the list.)
Save your loginGlobals.php someplace safe before copying into the site these latest files. (Especially if you don't have an English loginGlobals.)
Been debugging all day with another user and feel comfortable that this code is good.
I'm waiting to here how it runs on Linix/Apache, and I know there is a problem with PHP on MACs that we do not have a work around for. PHP on the MAC is not reporting an important $_SERVER[] variable which is used on every page.
There was an error in the previous code which directly affected Linux. That was fixed.
Sundry other bugs have been squashed today.
If you are executing the login.php page you keep posting without it being called from a parent page you are going to get all kinds of errors. The one you report indicates to me that you are trying to execute the include file rather than calling it from a parent page. The include file must be included in another page in the parent folder along with 5 other include files. The parent page is also called login.php but it is in the /login-system/ folder, not the /login-system/include/ folder. When you report that a database function is undefined, that can only occur if you do not have the database.php include file being called. The attached file is the login.php file you should try to open in a browser, not the code you posted above.
Is this an internal machine or do you have a public link?
If you still have a problem with errors, upload your loginGlobals.php in a code attachment. Then in a second comment upload your parent login.php page, not the include login.php page you keep posting.
Rod
<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {
session_start();
}
include "include/generalPurpose.php";
include "include/form_token.php";
include "include/loginGlobals.php";
include "include/database.php";
include "include/login.php";
// alpha 0.1b debug - 27 APR 2010
/* You should add
* header("Pragma: No-cache");
* header("Cache-control: No-cache");
* after all PHP generated output
*/
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title><?PHP echo lg_term_login; ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="content-language" content="en-US" />
<meta name="language" content="en-US" />
<meta name="author" content="Roderick Divilbiss" />
<meta name="copyright" content="© 2010 EE Collaborative Login Project http://www.webloginproject.com" />
<style type="text/css">
#details { font-family:Courier New; font-size:10pt; border:1px solid #000000; padding:10px; background-color:#FFE2C6; }
#message { font-size:10pt; padding:10px; background-color:#FFFFCC; border:1px solid #000000; }
#warning { font-size:10pt; font-weight:bold; padding:10px; background-color:#FFFFCC; color:#FF0000; border:1px solid #FF0000; }
</style>
</head>
<body>
<?PHP include "include/login-markup.php"; ?>
<?PHP if (lg_debug) { echo "<p>". $dbMsg . "</p>"; } ?>
</body>
</html>
ASKER
Rod,
Thank you for your assistance, I promise not to load the include login.php page again:). The problem I was having was because, I stupidly thought I could replace the database.php with my connvars.php thinking it was just the database connection information. Yeah, I know, I didn't even look first. So I have corrected that and actually have a login page loading when I open my site. I am working on number one, any hint where to start on error number 2? Again, thank you for your time and patience.
Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transc
Fatal error: Call to undefined function com_create_guid() in /home/content/t/r/a/transc
Thank you for your assistance, I promise not to load the include login.php page again:). The problem I was having was because, I stupidly thought I could replace the database.php with my connvars.php thinking it was just the database connection information. Yeah, I know, I didn't even look first. So I have corrected that and actually have a login page loading when I open my site. I am working on number one, any hint where to start on error number 2? Again, thank you for your time and patience.
Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/r/a/transc
Fatal error: Call to undefined function com_create_guid() in /home/content/t/r/a/transc
In the file: form_token.php you have called a function com_create_guid() which is not there in any of the include files, Just include the file where this function is defined.
Hope this helps
Hope this helps
ASKER
shinuq,
It is defined in "include/form_token.php" in line 8.
It is defined in "include/form_token.php" in line 8.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
getGUID() should be in generalPurpose.php in case you care. If it can not get a true GUID using com_create_guid(), it generates a pseudo random GUID.
Also the salt was corrected to be different for every domain, and the page was generally improved.
A potential headers already written error is now avoided as well.
Also the salt was corrected to be different for every domain, and the page was generally improved.
A potential headers already written error is now avoided as well.
ASKER
Thank you!
Well "true GUID" isn't a fair statement but the com_create_guid() is proven to be more random than the fall back.
ASKER
rdivilbiss,
I am working through some errors and went to the site http://code.google.com/p/loginsystem-rd/downloads/list to verify that I have the most updated code for the error I'm getting and I don't see an English PHP 0.1b? The download I have from Tues is ....PHP 0.1a? Thank you.
I am working through some errors and went to the site http://code.google.com/p/loginsystem-rd/downloads/list to verify that I have the most updated code for the error I'm getting and I don't see an English PHP 0.1b? The download I have from Tues is ....PHP 0.1a? Thank you.
It is there now: http://loginsystem-rd.googlecode.com/files/login-system_PHP_English_alpha_0.1b.zip (direct download link).
R
R
http://www.webloginproject.com/login-project/php/index.php
has the latest files loaded. Testing indicates no apparent bugs, but we will only know for sure as it is integrated into other websites.
has the latest files loaded. Testing indicates no apparent bugs, but we will only know for sure as it is integrated into other websites.
What is in authvars.php and connvars.php? On what you posted, nothing seems to indicate that you are being asked to authenticate more than once.