Secure Login Via Cookies. Authentification Not Working

Chadian22

Im trying to combine a couple tutorials ive been reading to make a login for my admin section. But the pop-up box would pop up and id type in the RIGHT password and username and it would still not let me in, so I made the username a space , and the pass a space, just to make it fool proof , and still no luck. Any suggestions?

<?php

// Check to see if $PHP_AUTH_USER already contains info

if (!isset($PHP_AUTH_USER)) {

	// If empty, send header causing dialog box to appear

	header('WWW-Authenticate: Basic realm="My Private Stuff"');
	header('HTTP/1.0 401 Unauthorized');
	echo 'Authorization Required.';
	exit;

} else if (isset($PHP_AUTH_USER)) {

	mysql_connect ( "localhost", "---------", "---------" )    ;
    mysql_select_db( "users" ) or die (" Unable to Connect to DB") ;
    $sql = "SELECT *
            FROM users
            WHERE username='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'";
  	$result = mysql_query($sql) ;
    $num = mysql_numrows($result);
    if ($num != "0") {
		echo "<P>You're authorized!</p>";
        setcookie ("user", md5($user_data[username]));
		setcookie ("pass", md5($user_data[password]));
		header("Location: index.php");

        exit; } else {

		header('WWW-Authenticate: Basic realm="My Private Stuff"');
		header('HTTP/1.0 401 Unauthorized');
		echo 'Authorization Required.';
		exit;

	}
	}

mysql_connect( "localhost", "--------", "--------" );
$db = mysql_select_db( "users" ) or die (" Unable to Connect to DB")



?>

jpmoriarty

what's your code for setting up the password? if you're md5-ing your password then you'll need to md5 the password that people type in before you check it against the db value.

so you might find you need something like:

$sql = "SELECT * 
                FROM users 
                WHERE username='$PHP_AUTH_USER' and password=md5'$PHP_AUTH_PW'";

where are you setting $PHP_AUTH_USER from though? a post? a get?

Chadian22

Umm, Im just using an authentification box that pops up from the header statement. Http://chadian22.no-ip.com/admin < thats what im using. I thought it'd pull the user name and pass from that , i was mixing a tutorials so might of f'ed up, but that part should still be ok, i added the cookie writing part from another tutorial, thats only 2 lines, i dont even get that for in the code. And ive check my mysql statememnt, its not md5'ed, its normal text. So i dont know whats wrong. hmmm.

Drakla

Is your server IIS by any chance? If so then it handling the AUTH thing is a slightly different kettle of beans. Let me know and I'll dig the code out if you need it.

Plus the way you're doing it assumes that you've got register globals on or something - put $_SERVER['PHP_AUTH_USER'] and the same with PW in and you might be flying your kite tonight.

Chadian22

I'm using Apache. Yah i figured out the problem with the global variables thing. Here's my new code. Im trying to somehow use sessions or something to check the cookie. Because i want to have it redirect to page update.php or something for example, but i dont want any user to just be able to type it in. I want update.php to check something, so im figuring it'll check the cookie, with a session. here's the new php

<?php
    // Check to see if $PHP_AUTH_USER already contains info

if (!isset($_SERVER['PHP_AUTH_USER'])) {

    // If empty, send header causing dialog box to appear

    header('WWW-Authenticate: Basic realm="My Private Stuff"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Authorization Required.';
    $auth = 0
    exit;

} else if (isset($_SERVER['PHP_AUTH_USER'])) {

    mysql_connect ( "localhost", "--", "--" )    ;
    mysql_select_db( "users" ) or die (" Unable to Connect to DB") ;
    $sql = "SELECT *
            FROM users
            WHERE username='{$_SERVER['PHP_AUTH_USER']}' and password='{$_SERVER['PHP_AUTH_PW']}'";
      $result = mysql_query($sql) ;
    $num = mysql_numrows($result);
    if ($num != "0") {

          setcookie ("user", md5($user_data[username]));
          setcookie ("pass", md5($user_data[password]));
          header("Location: index.php");
          $auth = 1  ;
       echo "<P>You're authorized!</p>";
        } else {

        header('WWW-Authenticate: Basic realm="My Private Stuff"');
        header('HTTP/1.0 401 Unauthorized');
        echo 'Authorization Required.';
        exit;

    }
    }

?>

i dont know why i added the $auth variable. I just figured it'd come in handy later and ive seen it used in other tutorials ?? 😕

cbj4074

Are your passwords in the SQL database stored as TEXT? If they are, they shouldn't be, and you should MD5 them using SQL's built-in MD5 function, in which case you would need to take the password that the user types into your form and MD5 it, too, before pulling the row from the database for comparison.

It would probably helpful to add some print statements to print out your variables and compare them with what's in your database, visually, before you try to work them into logical comparisons.

HTH

Chadian22

//I was thinking about doing that, but I wanted to get the cleartext stuff worked out first, because md5ing is just a format thing, i think ?.. Ok, well i had posted error messages, but i restored an earlier version of the code that you see above, so we're all on the same page.

And I get this :

Parse error: parse error, unexpected T_EXIT in C:\FoxServ\www\admin\index.php on line 12

which applies to the current code :
Line10 echo 'Authorization Required.';
Line11 $auth = 0 ;
Line12 exit;
Line13
Line14 } else if (isset($_SERVER['PHP_AUTH_USER'])) {

Chadian22

I have 2 things to do.
1) I have to figure out how to get it to check the cookie, that will control my login/logout stuff. Since you can't essentially Logout with the HTTP Authentification. The header is supposed to loop back with $auth == 1 , and then it checks the cookie if the time has expired which expires the cookie, if it has then it goes through the system of bringing up the HTTP Auth box.
2) I know how to do this, i just havn't, i need to md5 my mysql password.

All that happens is the part that says im Authenificated when it matches my user/pass with the mysql database. and then it Auto-refreshes and spams the same page over and over again (the header part, if comment that out, it stops) . The header part is supposed to loop back and if $auth == 0 then go through it again, but if you type it in valid and the $auth == 1, then it should go through and check the cookie . Then I know that the person still wants to be logged on and hasnt expired the cookie, since the HTTP AUthentification might be left logged in and isnt very reliable. Is there an easier way to do this with cookies or something, i want to have this page be included
here's the code :

<?php
    // Check to see if $PHP_AUTH_USER already contains info
if ($auth == 1){
    print "auth = 1" ;
    if ($_COOKIE[user] == md5($_SERVER['PHP_AUTH_USER']) && $_COOKIE[pass] == md5($_SERVER['PHP_AUTH_PW'])){
		print "cookie checked" ;
       }
exit() ;

}
else if ($auth == 0){
    if (!isset($_SERVER['PHP_AUTH_USER'])) {

    // If empty, send header causing dialog box to appear
    $auth = 0;
    header('WWW-Authenticate: Basic realm="ADMIN"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Authorization Required.';

    exit;

} else if (isset($_SERVER['PHP_AUTH_USER'])) {

    mysql_connect ( "localhost", "------", "------" )    ;
    mysql_select_db( "users" ) or die (" Unable to Connect to DB") ;
    $sql = "SELECT *
            FROM users
            WHERE username='{$_SERVER['PHP_AUTH_USER']}' and password='{$_SERVER['PHP_AUTH_PW']}'";
      $result = mysql_query($sql) ;
    $num = mysql_numrows($result);
    if ($num != "0") {
          $auth = 1;
          $time = time() ;
          setcookie ("user", md5($_SERVER['PHP_AUTH_USER']), $time+3200);
          setcookie ("pass", md5($_SERVER['PHP_AUTH_PW']), $time+3200);
          header("Location: index.php"); /* not sure to include this line or not   to have it loop back and check the cookie in $auth==1*/
          print "you're authorized" ;



        } else {

        header('WWW-Authenticate: Basic realm="ADMIN"');
        header('HTTP/1.0 401 Unauthorized');
        echo 'You h0ser ; take off eh!';
        exit;

    }
    }
}


?>