Re: User authentication and redirect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ahmed Saad wrote:

hi Vinny,

On 7/13/05, Vinny Lape <vinny@xxxxxxxxxxxxxxxxxx> wrote:
If user validates then look at db entry location then redirect to
mydomain.com/"location"/index.php

i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

perhaps if i had read the original message more carefully...
here are some functions for session based authentication that i use for one of my projects...they probably aren't as secure as they could be, im relatively new to scripting languages.

<?php
#this file should be in the include directory (include_path from php.ini), or the same directory as the functions which include it.
   #be sure to check file permissions if it doesnt work correctly!
#This script assumes a database named DATABASE, and that user data is stored in a table called users, with (at least) fields user, password, and email. The password column must be char(32) type to accept the encrypted pwd
   #Thomas Dodson   tomd@xxxxxxx   24 May 2005

   function db_connect()
   {
       #connect to MySQL
$link = mysql_connect('HOST', 'USER','PWD') or die('Could not connect: ' . mysql_error());
       #select database
       mysql_select_db('DATABASE') or die('Could not select database');

       return $link;
   }

function encrypt($string) #hash then encrypt a string. the password column in the db must be CHAR(32) type
   {
       $crypted = crypt(md5($string), md5($string));
       return $crypted;
   }

function login($user, $password) #this logs in the user by checking the name and pwd against the database. it returns true and writes the { #proper session variables if the user/pwd combo matches, otherwise it returns false. do NOT use this script #to check the session variables for authorization, i wrote login_check() to do that.
       $auth = false;

       $link = db_connect();
$result = mysql_query("SELECT password FROM users WHERE user = '$user'", $link);
       $row = mysql_fetch_array($result, MYSQL_ASSOC);
       $pass = $row['password'];
       mysql_free_result($result);
       mysql_close($link);

       if ($pass === (Encrypt($password)))
       {
           session_start();
           $_SESSION['userid'] = $user;
           $_SESSION['pwd'] = $pass;
           $auth = true;
       }
       return $auth;
   }

function login_check($user, $password) #this checks to make sure a user is logged in. if the user/pwd combo in the session var matches { #the table entry, it returns true, otherwise it returns false. it does NOT write any session variables, #so use this script and NOT login() to check authorization
       $auth = false;
if(!$user || !$password)
       {
           return $auth;
       }

       $link = db_connect();
$result = mysql_query("SELECT password FROM users WHERE user = '$user'", $link);
       $row = mysql_fetch_array($result, MYSQL_ASSOC);
       $pass = $row["password"];
       mysql_free_result($result);
       mysql_close($link);

       if ($pass === $password)
       {
           $auth = true;
       }
       return $auth;
   }

function write_log($string) #adds a datestamp and writes to logfile in /var/log. the owner of the file SL.log must be the same as the { #the user running the apache process (usually www-data)
       $string = ' ' . $string . "\n";
       $filehandle = fopen('/var/log/SL.log', 'a');
fwrite($filehandle, date('d M H:i:s')); #write date in format: 01 Jun 23:01:01
       fwrite($filehandle, $string); #write log entry
       fclose($filehandle);
   }

   function calcElapsedTime($time) #returns elapsed time in seconds
   {

       $diff = time()-$time;
       $daysDiff = 0;
       $hrsDiff = 0;
       $minsDiff = 0;
       $secsDiff = 0;
$sec_in_a_day = 60*60*24;

       while($diff >= $sec_in_a_day)
       {
           $daysDiff++; $diff -= $sec_in_a_day;
       }
       $sec_in_an_hour = 60*60;
while($diff >= $sec_in_an_hour)
       {
           $hrsDiff++;
           $diff -= $sec_in_an_hour;
       }

       $sec_in_a_min = 60;

       while($diff >= $sec_in_a_min)
       {
           $minsDiff++;
           $diff -= $sec_in_a_min;
       }

       $secsDiff = $diff;

return ($minsDiff.' minute'.(($minsDiff <> 1) ? "s" : "").', '.$secsDiff.' second'.(($secsDiff <> 1) ? "s" : ""));

       /*
       #this code goes after whatever you want to time
$elap_time = calcElapsedTime(mktime($hrs,$min,$sec,$mon,$day,$yr));

       #this codes goes before it
           $date = getdate();
           $hrs = $date['hours'];
           $min = $date['minutes'];
           $sec = $date['seconds'];
           $mon = $date['mon'];
           $day = $date['mday'];
           $yr = $date['year'];
       */

   }
?>

--
Thomas Dodson
Programmer, Bioinformatics
S-327 Ag. Science North
Department of Entomology
University of Kentucky
Lexington, KY 40546-0091
Phone (859) 257-3169
Fax (859) 323-1120
Cell: (859) 420-1696

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux