[Resolved] Password protected pages still allow bookmarks

kilbey1

Problem: hosting on web server that doesn't allow sessions (I don't think).

Need: password protected (non-htaccess) web pages.

Code: started this and thought I had a good solution, but I found I can actually bookmark the page in the CASE statement WITHOUT being 'logged in'. How can I get my page to check that $submit is valid every time for every case?

<?php
include('../display.php'); 
?>
 <BR> 
<?
switch ($goto)
{
	case "login":
		head('Employee Login - Welcome','38','45');
		include "welcome.php";		
	break;
	case "corpdir":
		head('Employee Login - Corporate Directory','38','40');
		include "welcome-corpdir.php";
	break;
	case "emp":
		head('Employee Login - Employee Forms','38','39');
		include "welcome-emp.php";
	break;
	case "useful":
		head('Employee Login - Useful Websites','38','41');
		include "welcome-useful.php";
	break;
	default:
	include('../display.php'); 
	head('Employee Login','38','0');
?> 
   <form method="post" action="<?=$PHP_SELF?>"> 
      <table width="309" border="0" cellspacing="0" cellpadding="5" align="CENTER" bgcolor="#e2e2e2"> 
        <tr> 
          <td width="124" class="bodytext"><strong>Username :</strong></td> 
          <td width="356"><input name="username" type="text" id="username" size="20"></td> 
        </tr> 
        <tr> 
          <td class="bodytext"><strong>Password :</strong></td> 
          <td><input type="password" name="password" size="20"></td> 
        </tr> 
        <tr> 
          <td>&nbsp;</td> 
          <td><input type="submit" name="submit" value="Sign On"></td> 
        </tr> 
      </table> 
      <p></p> 
    </form> 
<?php

if ($submit) {
	$db=mysql_connect("localhost","someusername","somepassword") or die ("Can't connect:" . mysql_error());
	mysql_select_db("wowcorp",$db) or die ("Can't select database.");
	$result=mysql_query("select * from users where username='".$username."'",$db) or die ("cant do it");
	while ($row=mysql_fetch_array($result)) {
		if ($row["password"]==$password) {
		//LOGGED IN
			echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF?goto=login\">"); 
		} else {
			printf("Incorrect password. Try again.");		
		}
	}
}
} // end of SWITCH statement

foot();
?>

kilbey1

The only idea I've come up with thus far is to keep the if($submit) for the default page, then construct a function that does something similar and place the call to the function in each case statement.

laserlight

hmm... I dont quite get what is the problem.

Could you explain what exactly are you trying to do?

kilbey1

I am setting up a password protected site via a MySQL database via the code below. However, anyone can bookmark a URL once entered, ie:

http://www.somepage.com/index.php?goto=content

without actually having entered a username and password.

I don't want this. I want to force a username/password if they go to this bookmarked page - ie. check if they have already logged in. If not, take them to the login page.

BooRadLey

you need to assign a session variable at the time of login like if logged in is true $_SESSION['loggedIn'] = "true"

then you include an authentication function at the top of the protected pages that would check for that session variable, if it doesnt exist, redirect to the login page, if it does exist, don't do anything.

Brad

kilbey1

That's my question/problem; will all web hosts allow the use of sessions? I'm assuming not all will. If so... and I've just asked... it will solve my problem nicely.

kilbey1

My web hosting provider says he doesn't believe PHP sessions are available to us at this time.

However, I tried it out and I'm having some luck with them. Sort of. When I 'bookmark' a site and double-click, I am redirected to the login page. However, if I drop down in my history in my browser and choose, I am able to get in! Where am I going wrong?

Here is the code thus far:

<?php
session_start();
if (!session_is_registered ("logged_in")) {
	$logged_in = 0;
	session_register ("logged_in");
} else {
	$logged_in = 1;
}
if ($logout) {
   $logged_in = 0;
}
include('../display.php'); 
?>
 <BR> 
<?
if ($submit) {
	$db=mysql_connect("localhost","someusername","somepassword") or die ("Can't connect:" . mysql_error());
	mysql_select_db("wowcorp",$db) or die ("Can't select database.");
	$result=mysql_query("select * from users where username='".$username."'",$db) or die ("cant do it");
	while ($row=mysql_fetch_array($result)) {
		if ($row["password"]==$password) {
		//LOGGED IN
			session_register ("logged_in");
			echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF?goto=login\">"); 
		} else {
			printf("Incorrect password. Try again.");		
		}
	}
}


switch ($goto)
{
	case "login":
		if(	$logged_in == 0 ) {
			echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">"); 		
		} else {
			head('Employee Login - Welcome','38','45');
			include "welcome.php";		
		}
	break;
	case "corpdir":
		if(	$logged_in == 0 ) {
			echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">"); 		
		} else {
			//head('Employee Login - Corporate Directory','38','40');
			include "welcome-corpdir.php";
		}
	break;
	case "emp":
		if(	$logged_in == 0 ) {
			echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">"); 		
		} else {
		//head('Employee Login - Employee Forms','38','39');
			include "welcome-emp.php";
		}
	break;
	case "useful":
		if(	$logged_in == 0 ) {
			echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">"); 		
		} else {
		//head('Employee Login - Useful Websites','38','41');
			include "welcome-useful.php";
	}
	break;
	default:
	head('Employee Login','38','0');
?> 
   <form method="post" action="<?=$PHP_SELF?>"> 
      <table width="309" border="0" cellspacing="0" cellpadding="5" align="CENTER" bgcolor="#e2e2e2"> 
        <tr> 
          <td width="124" class="bodytext"><strong>Username :</strong></td> 
          <td width="356"><input name="username" type="text" id="username" size="20"></td> 
        </tr> 
        <tr> 
          <td class="bodytext"><strong>Password :</strong></td> 
          <td><input type="password" name="password" size="20"></td> 
        </tr> 
        <tr> 
          <td>&nbsp;</td> 
          <td><input type="submit" name="submit" value="Sign On"></td> 
        </tr> 
      </table> 
      <p></p> 
    </form> 
<?php
} // end of SWITCH statement

foot();
?>

BooRadLey

Ok, I'm no expert on sessions, but try this out:

<?php 
session_start();
if ($logout) { 
   $_SESSION['loggedIn'] = "false"; 
} 
include('../display.php');  

?> 
 <BR> 
<? 
if ($submit) { 
    $db=mysql_connect("localhost","someusername","somepassword") or die ("Can't connect:" . mysql_error()); 
    mysql_select_db("wowcorp",$db) or die ("Can't select database."); 
    $result=mysql_query("select * from users where username='".$username."'",$db) or die ("cant do it"); 
    while ($row=mysql_fetch_array($result)) { 
        if ($row["password"]==$password) { 
        //LOGGED IN 
            $_SESSION['loggedIn'] = "true"; 
            echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF?goto=login\">");  

        } else { 
            printf("Incorrect password. Try again.");         

        } 
    } 
} 


switch ($goto) 
{ 
    case "login": 
        if(    $_SESSION['loggedIn'] == "false" ) { 
            echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">");          

        } else { 
            head('Employee Login - Welcome','38','45'); 
            include "welcome.php";         

        } 
    break; 
    case "corpdir": 
        if(    $_SESSION['loggedIn'] == "false" ) { 
            echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">");          

        } else { 
            //head('Employee Login - Corporate Directory','38','40'); 
            include "welcome-corpdir.php"; 
        } 
    break; 
    case "emp": 
        if(    $_SESSION['loggedIn'] == "false" ) { 
            echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">");          

        } else { 
        //head('Employee Login - Employee Forms','38','39'); 
            include "welcome-emp.php"; 
        } 
    break; 
    case "useful": 
        if(    $_SESSION['loggedIn'] == "false" ) { 
            echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">");          

        } else { 
        //head('Employee Login - Useful Websites','38','41'); 
            include "welcome-useful.php"; 
    } 
    break; 
    default: 
    head('Employee Login','38','0'); 
?>  

   <form method="post" action="<?=$PHP_SELF?>"> 
      <table width="309" border="0" cellspacing="0" cellpadding="5" align="CENTER" bgcolor="#e2e2e2"> 
        <tr> 
          <td width="124" class="bodytext"><strong>Username :</strong></td> 
          <td width="356"><input name="username" type="text" id="username" size="20"></td> 
        </tr> 
        <tr> 
          <td class="bodytext"><strong>Password :</strong></td> 
          <td><input type="password" name="password" size="20"></td> 
        </tr> 
        <tr> 
          <td>&nbsp;</td> 
          <td><input type="submit" name="submit" value="Sign On"></td> 
        </tr> 
      </table> 
      <p></p> 
    </form> 
<?php 
} // end of SWITCH statement 

foot(); 
?>

I hope I didn't mess anything up, he he. From looking over it I think it should work, I might have missed something though. Also I would recommend validating the input on the username field before passing it directly into the sql query, look up SQL injection, people can input strings that will affect the query on your database possibly deleting the entire table. I hope I've helped 😃

Brad

edit I think I just figured out why your version wasnt working, when your user logged out you didn't unregister the session, so when the page refreshed and it checked to see if it was registered it turned logged in back to 1.

kilbey1

Originally posted by BooRadLey
$_SESSION['loggedIn'] = "false";

Interesting. $_SESSION totally doesn't work....yet session_register appears to work.

* edit I think I just figured out why your version wasnt working, when your user logged out you didn't unregister the session, so when the page refreshed and it checked to see if it was registered it turned logged in back to 1. [/B]

Don't think so. When I session_destroy or session_unregister - then it destroys any sessioning throughout the page.

EDIT: I also need to be able to destroy the session not only when the user logs out, but ALSO when the browser is closed.

BooRadLey

Hmm ok, well using your original code, does this work?

session_start(); 
if (!session_is_registered ("logged_in")) { 
    $logged_in = 0; 
} else { 
    $logged_in = 1; 
} 
if ($logout) { 
   $logged_in = 0; 
    session_unregister ("logged_in"); 
}

also I believe that when the browser is closed all open sessions are destroyed.

Brad

*edit I changed the code a bit, sorry he he I forgot to take out a line.

kilbey1

BINGO! This works wonderfully.

Thank you!!

Weedpacket

Hmm... what version of PHP is your host running? if sessions aren't available, then session_register() et al. wouldn't work...

BooRadLey

I thought $_SESSION was only available in newer versions of PHP. Though it does seem odd that they would say that sessions don't work when they are obviously working...

Brad

kilbey1

Looks like PHP Version 4.1.2. I think this guy I spoke to does more mail and technical work, not programming - so it could have been his 'guess' that PHP sessions weren't available. He did say "I don't believe'... should I tell them they are? 🙂

But oddly, in trying $_SESSION, this wouldn't function, yet session_register definitely works. Maybe the sysadmins eliminated one but not the other? Perhaps it has something to do with register_globals? They are ON in this host.

By the way, Boo, I read up on SQL-injection, and apparently I should filter out characters like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc. Is PREG the best to use for this and then STRIP?

BooRadLey

Hey, I found this for you, it should help you out with SQL injection.

http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/3/

I hope thsi helps,

Brad

kilbey1

This issue is resolved, but I've set up a code to prevent SQL Injection (grabbed from Macromedia site and altered for safety).

X-posted on Code Critique as well. I get an error upon user logout that states:

Warning: wrong parameter count for session_unregister() in /home/httpd/wow-erp/employees/index.php on line 132

....before the user is redirected back to the login page.

Here's the code.

<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_wowcorp = "localhost";
$database_wowcorp = "dbname";
$username_wowcorp = "username";
$password_wowcorp = "password";
$wowcorp = mysql_pconnect($hostname_wowcorp, $username_wowcorp, $password_wowcorp) or trigger_error(mysql_error(),E_USER_ERROR); 

// *** Start the session
session_start();
// *** Validate request to log in to this site.
$FF_LoginAction = $HTTP_SERVER_VARS['PHP_SELF'];
if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && $HTTP_SERVER_VARS['QUERY_STRING']!="") $FF_LoginAction .= "?".htmlentities($HTTP_SERVER_VARS['QUERY_STRING']);
if (isset($HTTP_POST_VARS['username'])) {
  $FF_valUsername=(get_magic_quotes_gpc()) ? $HTTP_POST_VARS['username'] : addslashes($HTTP_POST_VARS['username']);
  $FF_valPassword=(get_magic_quotes_gpc()) ? $HTTP_POST_VARS['password'] : addslashes($HTTP_POST_VARS['password']);
  $FF_fldUserAuthorization="";
  $FF_redirectLoginSuccess="index.php?goto=login";
  $FF_redirectLoginFailed="index.php";
  $FF_rsUser_Source="SELECT username, password";
  if ($FF_fldUserAuthorization != "") $FF_rsUser_Source .= "," . $FF_fldUserAuthorization;
  $FF_rsUser_Source .= " FROM users WHERE username='" . $FF_valUsername . "' AND password='" . $FF_valPassword . "'";
  mysql_select_db($database_wowcorp, $wowcorp);
  $FF_rsUser=mysql_query($FF_rsUser_Source, $wowcorp) or die(mysql_error());
  $row_FF_rsUser = mysql_fetch_assoc($FF_rsUser);
  if(mysql_num_rows($FF_rsUser) > 0) {
    // username and password match - this is a valid user
    $MM_Username=$FF_valUsername;
    session_register("MM_Username");
    if ($FF_fldUserAuthorization != "") {
      $MM_UserAuthorization=$row_FF_rsUser[$FF_fldUserAuthorization];
    } else {
      $MM_UserAuthorization="";
    }
    session_register("MM_UserAuthorization");
    if (isset($accessdenied) && true) {
      $FF_redirectLoginSuccess = $accessdenied;
    }
    mysql_free_result($FF_rsUser);
    session_register("FF_login_failed");
	$FF_login_failed = false;
    header ("Location: $FF_redirectLoginSuccess");
    exit;
  }
  mysql_free_result($FF_rsUser);
  session_register("FF_login_failed");
  $FF_login_failed = true;
  header ("Location: $FF_redirectLoginFailed");
  exit;
}

function logout_button() {
?>
    	   <table width="100%"  border="0" cellspacing="2" cellpadding="2">
             <tr>
               <td valign="top"><div align="left"><input type="submit" name="back" value="<< Back" onClick="javascript:history.back()"></a></div></td>
               <td><div align="right">
   	 <form method="post" action="/employees/index.php?goto=logout">
                 <input type="submit" name="logout" value="Logout">
		 </form>               

		 </div></td>
             </tr>
           </table>

<?
}

include('../display.php'); 

switch ($goto)
{
	case "login":
			head('Employee Login - Welcome','38','45');

		?>
		<p><span class="bodytext"><strong><font color="#0099CC" size="3">Welcome to the Employee section</font></strong></span></p> 
<p><span class="bodytext">This little corner in cyberspace has been created to provide WOW Employees useful information about the company. We have started by providing a set of downloadable Employee Forms and a Corporate Directory with the Names and Phone Numbers of the employees in the Corporate Office. We have also created a section on Technical Resources&amp; White Papers. Employees are encouraged to contribute Articles, White Papers, etc. The idea is to build an Intellectual Property Database that all employees can access. We plan to add more sections like Employee News and Announcements, Bulletin Board, etc.. We encourage everyone visit this section periodically and send us your comments and suggestions to <a href="mailto:webmaster@wow-corp.com">webmaster@wow-corp.com</a>.</span></p> 
			<?
		logout_button();				
	break;
	case "corpdir":
			include "welcome-corpdir.php";
			logout_button();
	break;
	case "emp":
			include "welcome-emp.php";
			logout_button();
	break;
	case "useful":
			include "welcome-useful.php";
			logout_button();
	break;
	case "logout";
		session_unregister();
		echo("<meta http-equiv=\"Refresh\" content=\"0;url=$PHP_SELF\">");
	default:
	head('Employee Login','38','0');
?> 
   <form method="post" action="<?=$PHP_SELF?>"> 
      <table width="309" border="0" cellspacing="0" cellpadding="5" align="CENTER" bgcolor="#e2e2e2"> 
        <tr> 
          <td width="124" class="bodytext"><strong>Username :</strong></td> 
          <td width="356"><input name="username" type="text" id="username" size="20"></td> 
        </tr> 
        <tr> 
          <td class="bodytext"><strong>Password :</strong></td> 
          <td><input type="password" name="password" size="20"></td> 
        </tr> 
        <tr> 
          <td>&nbsp;</td> 
          <td><input type="submit" name="submit" value="Sign On"></td> 
        </tr> 
      </table> 
    </form> 
<?php
} // end of SWITCH statement

foot();
mysql_free_result($rstLogin);
?>