Smart Folk,
I am all about learning best practices, so I was wondering if some of you php gurus would take a look at at this code and tell me what you think.
My main question is if I am handling sessions in the best possible fashion. The following code is used for user authentication and access rights. This works on my live production machine using PHP 4.0.6, but on my development machine running PHP 4.1.0 the script keeps returning me back to my login page from sucessful_login.php via authorize.php. For some reason it does not recognize that a session has been started, and it keeps starting a new session and shooting me back to login.
I'll give a brief synopsis of how the code works (I'm sure it's painfully obvious, but just in case).
User comes to the login page and encounters a form asking for username and password. When submit is clicked, the user is directed to the validation script (validate_login.php). The validation script matches username/password against database, if it checks out, session variables are set to contain user info, and the user is sent to the successful login page (successful_login.php). Otherwise, the user is sent back to the login page with a nice little error message in tow.
At the the successful login page, authorization is checked to ensure that some schmuck didn't just happen to wander in on this page. If authorization is set, the user is allowed to continute navigation through the application. Otherwise, the user is sent back to the login page with (again) a nice little error message in tow.
I don't understand why this would work on my production server, and not my development server, but it may have something to do with how php is loaded in the webserver, or the php.ini. My development machine is runing IIS and my production machine is running APACHE.
I have security in mind for this application, so I want to make sure that no one could fake a variable in the url and come into the site.
So what do you think? Am I on the right page? Is there something I could be doing better? I appreciate any help you people can give me.
Thanks,
Bernie
---- BEGIN VALIDATE_LOGIN.PHP ----
<?php
function session_var_init($var, $val) {
if (!session_is_registered($var)) {
session_register($var);
$GLOBALS[$var] = $val;
}
}
//include database connection functions
include 'includes/cea/database/database_connect.inc';
// begin query for user
$query = "SELECT * FROM cea_users WHERE cea_username='" . $USER_NAME . "' AND cea_password='" . $PASSWORD . "';";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
// if number of rows return equals 0 then shoot error message and return to login.
if ($num_rows == 0) {
$error_message = "Unable to login. Please check your username and password, and try again.";
include 'www/cea/login.php';
} else {
//get array of results
$row = mysql_fetch_assoc($result);
//register session and session variables
session_start();
session_var_init('cea_username',$row['cea_username']);
session_var_init('cea_first_name',$row['cea_first_name']);
session_var_init('cea_last_name',$row['cea_last_name']);
session_var_init('cea_admin',$row['cea_admin']);
session_var_init('cea_super',$row['cea_super']);
session_var_init('cea_god',$row['cea_god']);
session_var_init('session_authorized','Y');
//goto successful_login screen
include 'www/cea/successful_login.php';
}
//free result
mysql_free_result($result);
//close connection
mysql_close($link);
?>
---- END VALIDATE_LOGIN.PHP ----
---- BEGIN AUTHORIZE.PHP----
<?php
if (!IsSet($HTTP_SESSION_VARS['session_authorized'])) {
header("Location: http://192.168.0.2/cea/login.php?error_message=You%20are%20not%20authorized!";
exit;
}
?>
---- END AUTHORIZE.PHP ----
---- BEGIN SUCCESSFUL_LOGIN.PHP ----
<?php
$page_title='Success';
session_start();
include "www/cea/secure/authorize.php";
include "www/cea/wrapper/right_frame_box_header.php";
?>
<!--- BEGIN CONTENT WINDOW --->
<br><br><div class="text_box_greeting">Welcome back <?php echo $cea_first_name;?><br><br><a href="/cea/secure/index.php" target="_parent">CLICK HERE TO CONTINUE</a></div>
<!--- END CONTENT WINDOW --->
<!--- INCLUDE THE FOOTER --->
<?php include "www/cea/wrapper/right_frame_box_footer.php"; ?>
---- END SUCCESSFUL_LOGIN.PHP ----
