Authorize + PHP + MYSQL

l_o_r_d

I need:

users loging from form;
username & passwords in MYSQL;
if users try to access on sequred page they are redirect on loging form;

I try mod_auth_mysql - worked but not correctly.
I try to manual setup $PHP_AUTH_USER/PW - don't work.

Any Idea?

Anon

If your users use a form to login you cant use eather.

The only way to check if they are logged in or not is to set a cookie, or open a session.

Torty

sveinhal

Or, if you donæt want to use cookies, and don't have php4 (read: the ability to use sessions), one could save the remote ip-address in a field in the users database along with a timeout-value. Then to check if someone is logged in, check if their ip is in the database, and if the timout has not been reached. If both these conditions are true, continue to load the page. If not, redirect the browser to some login-page. This login page, looks up the given username, and compares the given password with the stored one. If they match, save ip and a timeout value, ie 30 mins into the future.
Also in the ip-validation, you should update the timeout-value, so that the user wouldn't need to log on after 30 mins (or whatever value set) if he/she is active.

The problem is that someone using the same machine afterwards, would be recognized as the previous user, and could possibly access this users information.
This could be solved by creating a logout-script that sets the ip to NULL. Another solution is to set a reasonable timeout-value.

This problem, however, would also be present in the cookie approach.

Hope this helps.

Svein Halvor Halvorsen

Anon

Why can you not get $PHP_AUTH_USER and $PHP_AUTH_PW to work. I use them on one site I wrote and they seem to work OK.

Here is the gist of what I did

For each page that must be accessed only by authenticated users I incorporate the following code:-

if (!isset($PHP_AUTH_USER))
{
    header('WWW-Authenticate: Basic realm="Members Login"');
    header('HTTP/1.0 401 Unauthorized');
    fncDisplayLoginError();
    exit;

}

else
{

Authenticated user/password supplied so validate them against the database

l_o_r_d · 2001-02-05T12:08:35+00:00

I need: users loging from form; username & passwords in MYSQL; if users try to access on sequred page they are redirect on loging form; I try mod_auth...

    $locQuery = "SELECT mem_username " .
                  "FROM members " .
                 "WHERE mem_username = '" . $PHP_AUTH_USER . "' " .
                   "AND mem_password = '" . $PHP_AUTH_PW . "'";

    $locResult = mysql_query ($locQuery);

    if (!$locResult)
    {
        fncDisplayDbError();

    }

If username/password supplied are invalid send authentication header again (after three attempts failure

message will be displayed)

    if (mysql_num_rows ($locResult) == 0)
    {
        header('WWW-Authenticate: Basic realm="Members Login"');
        header('HTTP/1.0 401 Unauthorized');
        fncDisplayLoginError();
        exit;
    }

    else

If user authenticated output page content

{

         Normal page content here
         .
         .
         .

This works for me OK the only caveat being that all the authenticating scripts must be in the same directory otherwise sometimes a page thinks it is not authenticated when it is (PHP bug I think).

I hope this helps. If I have missed your point I am sorry.

Regards,

Chris.