RE: Login and link back...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Have you thought about using BASIC AUTH in Apache? That way, you don't even
need to build a login page, just authenticate each page. Here's what we use:

Note that some of the functions used in this script are not included, and
need to be commented out or a function written for them. It's rather
self-explanatory.

We also create a .htaccess file with all the username/passwords in a central
location. You'll need to modify tour httpd.conf file to look in that central
location for all the pages.


## Function:   check_auth()
## Description:   Checks authentication against the mysql user info database
and
##    verifies the password.  This function is absolutely critical.
##    If it's not right, you could be letting people into the website
##    unintentionally.  Always make sure that login failure occurs
##    unless you have a positive ID!!!
##	   Additionally it determines if the user has read and digitally
accepted
##    IEI's liability statement by calling liability_statment_check().
## Arguments:  none
## Returns: success-> returns true
##    failure-> exits via auth_header()
function check_auth() {
	global
$conn_id,$PHP_AUTH_USER,$PHP_AUTH_PW,$PHP_AUTH_REALM,$REQUEST_URI,$sid;
	global $WEBUSER_TABLE,$WEBAUTH_TABLE;
   global $redirect;
	# The only way out of this function is:
	# 1) A recursive call to auth_header()
	# 2) A TRUE return to the caller

	# Is USER and PASS set?
	if( !isset($PHP_AUTH_USER) || !isset($PHP_AUTH_PW)) {
      if ($redirect=='y'){
         log_it(LOG_DEBUG,"caught redirect");
         auth_header($PHP_AUTH_REALM);
      } else {
         log_it(LOG_DEBUG,"redirecting");
         Header("Location: /index.php?redirect=y");
         exit();
      }
	}

	# Does USER have trailing whitespace? BAD MYSQL!!!!!
	if (ereg(' +$',$PHP_AUTH_USER)){
		auth_header($PHP_AUTH_REALM);
	}

	# Is USER known to the system?
	$sql = "SELECT * FROM $WEBUSER_TABLE WHERE
web_user_id='$PHP_AUTH_USER' AND web_password='$PHP_AUTH_PW'";
	$row = get_row($conn_id,$sql);
	if($row && is_array($row)) {

		# Yes, so...
      
      # See if they've been disabled
      if($row['web_access_level'] == 'D'){
        ## Start the Auth over again
        ## auth_header($PHP_AUTH_REALM);
        ## include('/error_disabled.php');
        Header("Location: /error_disabled.php");
        exit();
      }  

		# Check logged_in state
		$sql = "SELECT logged_in FROM $WEBAUTH_TABLE WHERE
web_user_id='$PHP_AUTH_USER'";
		$row = get_row($conn_id,$sql);
		if(!$row  || !is_array($row)) {

			# First time login for USER, let him through
			authorize_user($PHP_AUTH_USER);
			return(TRUE);

		} else {

         # RETURN POINT FROM FUNCTION
         # USER's logged_in status is something other than 'N' which is
acceptable 
         # for access
         if ($row['logged_in'] != 'Y'){
            update_logged_in_status($PHP_AUTH_USER,'Y');
            if ($redirect!='y') auth_header($PHP_AUTH_REALM);
         } else {
            log_it(LOG_INFO,"checkauth() SUCCESS: user=$PHP_AUTH_USER
pass=NO-SOUP-FOR-YOU-TOO");
            # update_logged_in_status($PHP_AUTH_USER,'Y');
         }
      }

      liability_statement_check();
      return(TRUE);

   } else {

		# USER NOT KNOWN
		auth_header($PHP_AUTH_REALM);

	}

}

Gary Every
Sr. UNIX Administrator
Ingram Entertainment
(615) 287-4876
"Pay It Forward"
mailto:gary.every@ingramentertainment.com
http://accessingram.com


> -----Original Message-----
> From: NIPP, SCOTT V (SBCSI) [mailto:sn4265@sbc.com]
> Sent: Wednesday, March 19, 2003 10:39 AM
> To: 'php-db@lists.php.net'
> Subject:  Login and link back...
> 
> 
> 	I am curious about what you guys may have along the 
> lines of best
> practices for forwarding from a URL to a login, and then 
> jumping back to the
> original URL automatically.  I have several separate 
> applications that all
> need to utilize the same login mechanism.  I want the user to 
> be able to
> enter the URL for the application and if they are not logged 
> in it redirects
> them to a login screen.  I already have the sessions junk setup and
> understand all of that portion.  I am mainly interested in 
> how people are
> handling the return to a URL after successful login.
> 	I have done some research on this, and discovered the 
> $HTTP_REFERER
> variable however the PHP site discourages using this.  I have 
> also thought
> of adding code to each page to export an "origin" variable to 
> be passed to
> the login page such that it can be used to return the user.  
> I thought of
> this method, but I am not real clear on how to manage this.  
> Does anyone
> have any suggestion on implementing this, or another 
> alternative that I have
> not touched on yet?  Thanks in advance.
> 
> Scott Nipp
> Phone:  (214) 858-1289
> E-mail:  sn4265@sbc.com
> Web:  http:\\ldsa.sbcld.sbc.com
> 
> 
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux