Output a file and authenticate a user

mikecurtin

Hi,
I have a site that allows users to download files. I want to control this download by outputing the file using

header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=text.csv");
header("Pragma:no-cache");
header("Expires:0");
...

The problem is that I also have a bit of code that authenticates the user before he downloads the file. It is based on sessions. My "checkLogin.php" file is included before these lines in the download script. Thus the session_start() command in checkLogin.php totally screws up the file download.

How do I get around this? I want to continue to use sessions to authenticate the user but I then want to send the file using the code above.

Thanks.
Mike

phpmaven

Can you elaborate on what you mean by "screws up the file download"? I have several pages that use sessions and also use the header() function with no problem.

mikecurtin

Any number of bad things happen. Either the file gets displayed in the browser window or IE sends an error message saying the file can't be downloaded or it only downloads a few bytes of gobbledygook.

My "checkLogin.php" code appears below. Thanks for the help.

<?
session_start();

//If user has posted username & password, destroy previously-existing session credentials
//and load username & password with passed data.
if (isset($_POST["username"])&&isset($_POST["password"]))
{
     $username = $_POST['username'];
     $password = $_POST['password'];
	 unset($_SESSION['authenticatedUser']);
	 unset($_SESSION['authenticatedPassword']);
}

//If session credentials are set, put them into $username & $password.
if (isset($_SESSION['authenticatedUser'])&&isset($_SESSION['authenticatedPwd']))
{
     $username = $_SESSION['authenticatedUser'];
	 $password = $_SESSION['authenticatedPwd'];

}else{
     //User is not logged in yet.  Use LDAP to authenticate using $username and $password
	 //If no data has been passed, they will be empty and the bind will fail.  Present login
	 //screen.
     if ($logonMode != "debug")
	 {
	 $ldapconn = ldap_connect($ldapAddr)
        or die("Could not connect to LDAP server.");
     //error_reporting(0);
     $ldap = ldap_bind($ldapconn, "cn=$username,o=fp", $password);
     }else{
	    $ldap = "hi";
	 }
     if(!$ldap||$username==""||$password=="")	
     {
       session_destroy() ;

  ?>
	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
	<html>
	<head>
	<META HTTP-EQUIV="Expires" CONTENT="Fri, Jan 01 1900 00:00:00 GMT">
	<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
	<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
	<META http-equiv="Content-Type" content="text/html; charset=windows-1251">
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
	<meta http-equiv="content-language" content="en">
	<meta name="author" content="">
	<META HTTP-EQUIV="Reply-to" CONTENT="@.com">
	<meta name="generator" content="PHPEd 1.80">
	<META NAME="description" CONTENT="">
	<meta name="keywords" content="">
	<META NAME="Creation_Date" CONTENT="08/15/2000">
	<meta name="revisit-after" content="15 days">
      <title>RamLab Login</title>

	</head>
	<body>
	<BR><BR>
	<FORM  action="<?=$PHP_SELF?>" method="POST">
	<table class='main_tiny' align='center' cellspacing='0' cellpadding='5'>
	<TR class='main_table_title'><TD COLSPAN='2'>Log in to RamLab</TD></TR>
	<TR class='list'>
	<TD>Username:</TD><TD><INPUT size='20' TYPE="TEXT"  name="username"></TD></TR>
	<TR class='list'><TD>Password:</TD><TD> <INPUT TYPE="PASSWORD" size='20'  name="password"></TD></TR>
	<TR class='main_table_bottom'><TD COLSPAN='2' ALIGN='center'>
	<INPUT TYPE="SUBMIT" CLASS='submit_button' name="submit" value="Log In"></TD></TR>
	</TABLE>

	</FORM>
	</body>
	</html>
<?
exit;
 }
}

//If user is authenticated, check to see if his session dataset is complete.
//If not, it will be drawn from the ramlab database.
if (!isset($_SESSION["status"])||!isset($_SESSION["userLevel"])||!isset($_SESSION["userTID"])
	||!isset($_SESSION["userFirstname"])||!isset($_SESSION["userLastname"])||!isset($_SESSION["userDept"]))  

	{
	  $host = "localhost";
      $dbuser = "root";
      $dbpassword = "capecod";
      $db = "ramlab";
      $link_id = mysql_connect($host,$dbuser,$dbpassword);
      $dbconnect = mysql_select_db($db, $link_id);    

      $query = "select username, password, firstname, lastname, tid, active, userLevel, dept from teachers where username=\"$username\"";
      $result = mysql_query ($query, $link_id);
	  $data = mysql_fetch_array($result);

  //If user has authenticated but he does not exist in ramlab, kill the session.
  if (mysql_num_rows($result)==0)
     kill();

  //If user has authenticated but he is inactive in ramlab, kill the session.
  if ($data["active"]=="false")
     kill();
  else
     $_SESSION["status"]=$data["active"];
  $_SESSION["userLevel"]=$data["userLevel"];
  $_SESSION["userTID"]=$data["tid"];
  $_SESSION["userFirstname"]=$data["firstname"];
  $_SESSION["userLastname"]=$data["lastname"];
  $_SESSION["userDept"]=$data["dept"];

}

  //$status = $data["active"];

  //Put session data into variables that will be passed to remainder to script.
  $userLevel = $_SESSION["userLevel"];
  $userTID = $_SESSION["userTID"];
  $userFirstname = $_SESSION["userFirstname"];
  $userLastname = $_SESSION["userLastname"];
  $userDept = $_SESSION["userDept"];
  $_SESSION['authenticatedUser'] = $username;
  $_SESSION['authenticatedPwd'] = $password;
  $authenticatedUser = $username;

function kill()
{
     session_destroy() ;
     echo "<SCRIPT LANGUAGE='JAVASCRIPT' TYPE='TEXT/JAVASCRIPT'>";
     echo "window.location = 'teacherlist.php'";
     echo "</SCRIPT>";
	 exit;

}

?>