orielly login example

chaq

Hope everyone is doing well. I'm new to this forum and relatively new to php coding.

I follow an orielly book example on creating a log in app. It works but has a bug. Sometimes when I log in the form doesn't seem to submit properly...it just returns the empty form. But if I refresh the page it usually logs me in. then I have a link to a "protected" page and again when I sometimes hit the link, it might just show the original page I'm on. But w/ a refresh hit, it then takes me to that page, or it could take me to the empty login form, but again if I hit "refresh", I might then be in me desired page.

It's way too unstable to use but I can't figure out what's going wrong. Code seems pretty straight forward.

http://www.ncsu.edu/navy_rotc/php-orielly-ncsu/example.9-8.php

username: demo password:demo

Any help would be greatly appreciated.

Luis

stolzyboy

yep, it sure is unstable, maybe post the code example and we'll take a look...

chaq

Here's the code...did you have the same 'bug'?

 
    <form method="POST" action="example.9-9.php">

  <?php 
  // Include the formatted error message

  if (isset($errorMessage))
    echo 
      "<h3><font color=red>$errorMessage</font></h3>";

  // Generate the login <form> layout
  ?>
    <table>
      <tr><td>Enter your user-name:</td>
          <td><input type="text" size=10 
                   maxlength=10 
                   name="formUsername"></td></tr>     

      <tr><td>Enter your password:</td>
          <td><input type="password" size=10 
                   maxlength=10
                   name="formPassword"></td></tr>
    </table>
    <p><input type="submit" value="Log in">
    </form>
  </body>
  </html>
  <?php

}

//
// Function that returns HTML page showing that 
// the user with the $currentLoginName is logged on
//
function logged_on_page($currentLoginName)
{

  // Generate the page that shows the user 
  // is already authenticated and authorized
  ?>

<!DOCTYPE HTML PUBLIC 
      "-//W3C//DTD HTML 4.0 Transitional//EN"
      "http://www.w3.org/TR/html4/loose.dtd" >
  <html>
  <head>
     <title>Navy ROTC Logged In</title>
	 <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
  </head>
  <body>
    <h2>Navy ROTC</h2>
    <h2>You are currently logged in as 
        <?php echo $currentLoginName; ?></h2><br>

	<a href="authTest-chp9.php">authorized test?!?</a><br>
<img src="../images/wolf.gif" alt="wolf" width="40" height="77"><br>

<a href="example.9-10.php">Logout</a>
  </body>
  </html>
  <?php
}

// Main
session_start();

// Check if we have established a session
if (isset($HTTP_SESSION_VARS["authenticatedUser"]))
{
  // There is a user logged on
  logged_on_page(
          $HTTP_SESSION_VARS["authenticatedUser"]);
}
else
{
  // No session established, no POST variables 
  // display the login form + any error message
  login_page($HTTP_SESSION_VARS["loginMessage"]);

  session_destroy();
}
?>

here's example.9-9.php's code:

<?php
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache"); 
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
/* Date in the past*/
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 
/* always modified*/
header("Cache-Control: no-cache, no-store, must-revalidate");
/* HTTP/1.1 read*/
header("Cache-Control: post-check=0, pre-check=0", false);

include '####.inc'; //db file
include '####.inc';//db file

function authenticateUser($connection, 
                          $username,
                          $password)
{
  // Test that the username and password 
  // are both set and return false if not
  if (!isset($username) || !isset($password))
    return false;

  // Get the two character salt from the username
  $salt = substr($username, 0, 2); 

  // Encrypt the password
  //$crypted_password = crypt($password, $salt); 
  $crypted_password = $password; 

  // Formulate the SQL query find the user
  $query = "SELECT password FROM phpOriellyusers 
               WHERE user_name = '$username'
               AND password = '$crypted_password'";

  // Execute the query
  $result = @ mysql_query ($query,
                           $connection)
  or showerror();

  // exactly one row? then we have found the user
  if (mysql_num_rows($result) != 1) 
    return false;
  else
    return true;

}


// Main ----------

  session_start();

  $authenticated = false;

  // Clean the data collected from the user
  $appUsername = 
    clean($HTTP_POST_VARS["formUsername"], 10);
  $appPassword = 
    clean($HTTP_POST_VARS["formPassword"], 15);

  // Connect to the MySQL server
  //$connection = @ mysql_connect($hostName,
  $connection =  mysql_connect($hostName,
                                $username,
                                $password) 
  or die("Cannot connect");

  if (!mysql_selectdb($databaseName, $connection))
     showerror();

  $authenticated = authenticateUser($connection,
                                    $appUsername,
                                    $appPassword);

  if ($authenticated == true) 
  {
    // Register the customer id
    session_register("authenticatedUser");
    $authenticatedUser = $appUsername;

// Register the remote IP address 
session_register("loginIpAddress");
$loginIpAddress = $REMOTE_ADDR;
  }
  else
  {
    // The authentication failed
    session_register("loginMessage");
    $loginMessage = 
      //"Could not connect to the winestore " .
      //"database as \"$appUsername\"";

  "Could not log you in to the secure Navy ROTC area";
  }

  // Relocate back to the login page
  header("Location: example.9-8.php");

?>

stolzyboy

if that is "truly" the code...

then o'reilly is SORELY wrong...

for one thing session_start(); should be the first thing in the code

in your example, it is like line 65

i cut and pasted what you posted and after fixing a parse error for a missing brace, it still error cuz of the session_start()

chaq

To be fair I did add the header code...thinking it was a caching problem....

header("Cache-Control: post-check=0, pre-check=0", false); 
header("Pragma: no-cache");  

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); 
/* Date in the past*/ 
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");  

/* always modified*/ 
header("Cache-Control: no-cache, no-store, must-revalidate"); 
/* HTTP/1.1 read*/ 
header("Cache-Control: post-check=0, pre-check=0", false);

But he did put the session_start(); in the bottom of the pages...why does this matter?

Should I just scrap this example?

I've done simpler login apps w/ ASP. I like this one b/c you validate against the db only once and then store the fact that you're valid in the session. Other examples I've found on the web have every page running against the db...didn't think this was efficient enough. Any advice?

stolzyboy

i don't know why he put session_start() at the bottom, it has to be at the top for it to work correctly and if even at all...

without going into too much detail, i do know what i am talking about with sessions...

chaq

will moving it to the top do the trick or is there more errors I'm not aware of?

stolzyboy

Originally posted by chaq
will moving it to the top do the trick or is there more errors I'm not aware of?

i'm not positive of the "more errors" thing, cuz i frankly don't have the time to look through the whole thing, but if he got something like that incorrect, i'd have a hard time trusting anything else he wrote

search around here on the forums for login scripts, and the web...

there are numerous ones...

i wrote one here quite awhile ago if you wanna search for that one

i don't think it had db checking for u/p but that is really simple to put in once you have the whole session stuff wrapped up and working...

chaq

thanks for your help...so it's def b/c of the positioning of the session start...thanks again for helping me out.

Luis

chaq

can anyone help me mod this script so that it works properly?

stolzyboy

i honestly don't have the time, did you search the forums here...

chaq

stolzyboy, thanks for your help...was hoping someone else could help me tweek this script so it would work. I did look but didn't find one that both tied mysql and session as nicely as this one. I like this script b/c you only connect to the db once, then all pages that need to be protected need only an include file.

I've found other login scripts but every page that need 'protection' ran against the db...didn't think that was very efficient.

But again I really appreciate your input but was hoping someone else might be able to help me mod this existing example.

Luis

stolzyboy

i've attached the one that i wrote and use...

pretty self explanatory and you'll have to change the mysql stuff in the login page

but any page, like template.php, you just include the auth.inc.php to protect the page

should someone go there and NOT be logged in, the will be redirected to the login page, then if they login correctly, based on the mysql username and password combo, they'll be redirected to their original page request...

chaq

stolzyboy,

You're the man! Thanks so much for sending me a solid script. I did search on line but none really looked like they were worth using.

Thanks again!

stolzyboy

So, it worked for ya then?

Did you have to change anything, I didn't test it too much after putting the db checking in?

chaq

sorry, haven't had a chance to test it, but figured your approach would be much easier to implement. Will let you know if I have any bugs, hope to have a chance to work on it in the next few hours.

Luis

chaq

It kind of works...for some strange reason it works in NS6/NS4 but not IE6:

http://ncsu.edu/navy_rotc/stolzyboy-phpLogin/login_script/login.php

u:demo
p:demo

I log in OK, but when I go to a protected page I get redirected to the login in page...I even tried to track the value of the $_SESSION['logged'] session but I still can't move from the test2 page to a 'protected' page.

Luis

stolzyboy

did you change something, it seemed to work for me...

chaq

I had to change a few things...in the original form, I had to give the hidden field a value, you had it w/ a php variable that was never set....so this redirect variable I set to test2.php.

Since I thought it was an error w/ the value for $_SESSION['logged'] I placed code trying to track it...also my test2.php has the 'auth.inc.php' included

test2.php
<?php
include 'auth.inc.php';
?>
test22222 file, here is where you are redirected
<a href="protected.php">link to protected file</a>
$SESSION['logged'] =
<?php echo $SESSION['logged']; ?>

So when you log in, you can get to this page but when you then click on protected...you get redirected back to login.php?redirect=test2.php

chaq

the weird thing is if I test it on my local computer (running IIS5 and php) it works fine. But on our unix servers/apache it's giving these problems.

Luis