restrict access to pages

trufla

Hi Guys!

I was wondering if anyone could help.
I have created a login page and declared session variables that are to be used in conjunction with restricted access pages.

Imagine: There are three types of users: admin, manager, and staff.
All three users login successfully to a page with four links to other pages.
Admin has access to all pages. Manager has access to three and staff has access to two.

Problem: The session variables that are being collected from the login are not recalled in the restricted access pages for some reason - due to my novice coding abilities no less.
In brief, all users are either locked out of the pages all together, or all users have unlimited access.

Can anyone help?

This is my code for a restricted access page. Only admin may view this page.

<?php
session_start();
$MM_authorizedUsers = "admin";
$MM_donotCheckaccess = "false";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && false) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "access_denied.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   

  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>

trufla

anyone?

adrian_quah

Hi Trufla,

here's a working snippet of what i used and it works. hope u can use it for urs.

<?php
// Start of session-checking script

session_register("username_input"); // Stores session variable - username (Login))
if(!isset($username_input)) // If have not logged in or session has expired
{
Header("Location: index.php"); // Redirect to Login page
}
// End of session-checking script
?>

where in this case, the variable $username_input is the user's login name captured in the sessions, and if it has not been set, it'll redirect to index.php

Try it out n let us know ya.

trufla

Hello! I tried you code snippet, but I think I am missing something, or I have referring to the wrong variables. Could you help?

home.php (login page)


<?php require_once('../Connections/gymtvdb.php'); ?>
<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "Usergroup";
  $MM_redirectLoginSuccess = "successful.php";
  $MM_redirectLoginFailed = "failed.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_gymtvdb, $gymtvdb);

  $LoginRS__query=sprintf("SELECT Email, Password, Usergroup FROM users WHERE Email='%s' AND Password='%s'",
  get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password) ,
  get_magic_quotes_gpc() ? $loginStrGroup  : addslashes($loginStrGroup)); 

  $LoginRS = mysql_query($LoginRS__query, $gymtvdb) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {

$loginStrGroup  = mysql_result($LoginRS,0,'Usergroup');



//register the session variables
   $_SESSION["MM_username"]=$loginUsername;
   $_SESSION["MM_password"]= $password;
   $_SESSION["MM_userGroup"]= $loginStrGroup;

if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
}
header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

scrollling.php (access granted for admin only)


<?php 

session_register("admin"); 
if(!isset($loginStrGroup)) expired 
{ 
Header("Location: access_denied.php"); 
} 

?>

The variables are saved in the session from the login and being validated, but I am having trouble pulling the Usergroup variable = "admin" out.

This is my session:

MM_username|s:19:"tru@fla.co.uk";MM_password|s:8:"beagle";
MM_userGroup|s:5:"admin";admin|N;

Roger_Ramjet

You may want to look at this article by Kevin Yank http://www.sitepoint.com/print/write-secure-scripts-php-4-2 for a discussion of the security issues around php and sessions. It also includes a simple script to deal with authorisation and access.

However, since my authorised users can only view their own company's data I use his more extensive session management scripts: http://www.sitepoint.com/print/users-php-sessions-mysql. I have attached them for you.

The access control script is included in every page, and the db is queried every time a page is accessed. This means that every page checks for itself if the user is authorised or not and grants access accordingly.

trufla

Thanks for your post, I am just attempting the tutorial now!

I was wondering if I could ask, where do you keep your includes?
I am using Easyphp1-7. The php.ini-dist file's include_path is /php/includes, but there is no folder there for me to store the includes.

Do I need to create one where the include path is pointing to, or store it in /php/pear and change the path?

/php/pear is close to what Kevin Yank documented in his article:

include_path = ".;c:\php4\pear;d:\www\phpinclude"

I realise that the includes will work in my regular directory but it is safer to store them in an includes folder?

Cheers!

Roger_Ramjet

Personnal? I don't. I'm on a shared server with an ISP. No access to admin functions and a lot of trouble to telnet through our LAN firewall. I ALWAYS use relative paths throughout my websites ie "./file" or "./images/filr" etc so that it is fully portable from host to host with NO recoding required. My included files just sit in a subdir as a part of the whole site structure. Not very secure I agree.

Run phpinfo to find out where your include path is configured on your host.

trufla

I have gone through the code in Kevin Yank's article. When I try to register a user I get this error.

Forbidden
You don't have permission to access /folder/<br /><b>Notice</b>: Undefined variable: editFormAction in <b>c:/easyphp1-7/www/folder/tmpdypps2lh38.php</b> on line <b>25</b><br /> on this server.

As I was going through the code I was adapting it to fit with my settings.

What might this mean?

<?php // accesscontrol.php 
include_once 'common.php'; 
include_once 'db.php';

session_start();
//At this point, the user's login details should be available whether they were just submitted from a login form 
//(in the $_POST array) or stored in the user's session (in the $_SESSION array). 
//The script pulls the login credentials out of either the $_POST or the $_SESSION array:


$uid = isset($_POST['email_ID']) ? $_POST['email_ID'] : $_SESSION['email_ID']; 
$pwd = isset($_POST['pwdID']) ? $_POST['pwdID'] : $_SESSION['pwdID'];


if(!isset($uid)) { 
 ?> 
 <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN" 
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
 <html xmlns="http://www.w3.org/1999/xhtml"> 
 <head> 
 <title> Please Log In for Access </title> 
 <meta http-equiv="Content-Type" 
   content="text/html; charset=iso-8859-1" /> 
 </head> 
 <body> 
 <h1> Login Required </h1> 
 <p>You must log in to access this area of the site. If you are 
    not a registered user, <a href="signup.php">click here</a> 
    to sign up for instant access!</p> 
 <p><form action="<?=$_SERVER['PHP_SELF']?>" method="post" name="log_frm" id="log_frm"> 
   User ID: <input name="email_ID" type="text" id="email_ID" size="8" /> 
   Password: <input name="pwdID" type="password" id="pwdID" SIZE="8" /> 
   <input type="submit" value="Log in" /> 
 </form></p> 
 </body> 
 </html> 
 <?php 
 exit; 
}
$_SESSION['email_ID'] = $uid; 
$_SESSION['pwdID'] = $pwd;

dbConnect("gymtv"); 
$sql = "SELECT * FROM users WHERE 
       Email = '$uid' AND Password = PASSWORD('$pwd')"; 
$result = mysql_query($sql); 
if (!$result) { 
 error('A database error occurred while checking your '. 
       'login details.\\nIfhis error persists, please '. 
       'contact [email]blah@blah.com[/email].'); 
}

if (mysql_num_rows($result) == 0) { 
 unset($_SESSION['nUser_email']); 
 unset($_SESSION['nUser_password']); 

 ?> 
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
 <html xmlns="http://www.w3.org/1999/xhtml"> 
 <head> 
 <title> Access Denied </title> 
 <meta http-equiv="Content-Type" 
   content="text/html; charset=iso-8859-1" /> 
 </head> 
 <body> 
 <h1> Access Denied </h1> 
 <p>You do not have permission to access these pages.<br>
    Click <a href="self_service.php">here</a> to return to<br> 
	the self service point.</p> 
 </body> 
 </html> 
 <?php 
 exit; 
}

$username = mysql_result($result,0,'Firstname'); 
?>

<?php // signup.php 
include 'common.php'; 
include 'db.php';

if (!isset($_POST['submitok'])): 
   // Display the user signup form 

   ?> 



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
 <title>New User Registration</title> 
 <meta http-equiv="Content-Type" 
   content="text/html; charset=iso-8859-1" /> 
</head> 
<body> 

<h3>New User Registration Form</h3> 
<p><font color="orangered" size="+1"><tt><b>*</b></tt></font> 
  indicates a required field</p> 
<form name="newUser_frm" id="newUser_frm" method="post" action 

//problem is here?
[B]="<?php echo $editFormAction; ?>">[/B] 


  <table width="287" height="132" border="0" cellpadding="1" cellspacing="0">
    <tr> 
      <td width="108" class="news_text">Firstname</td>
      <td colspan="2"><input name="nUser_firstname" type="text" id="nUser_firstname" />
        * </td>
    </tr>
    <tr> 
      <td class="news_text">Lastname</td>
      <td colspan="2"><input name="nUser_lastname" type="text" id="nUser_lastname" />
        *</td>
    </tr>
    <tr> 
      <td class="news_text">Organisation</td>
      <td colspan="2"><input name="nUser_Org" type="text" id="nUser_Org" />
        *</td>
    </tr>
    <tr> 
      <td class="news_text">Email (Username)</td>
      <td colspan="2"><input name="nUser_email" type="text" id="nUser_email" />
        *</td>
    </tr>
    <tr> 
      <td rowspan="2" class="news_text">Address</td>
      <td width="147" rowspan="2"><textarea name="nUser_address" cols="18" rows="3" id="nUser_address"></textarea> 
      </td>
      <td width="26">*</td>
    </tr>
    <tr> 
      <td>&nbsp;</td>
    </tr>
    <tr> 
      <td class="news_text">Postcode</td>
      <td colspan="2"><input name="nUser_postcode" type="text" id="nUser_postcode" />
        *</td>
    </tr>
    <tr> 
      <td class="news_text">Registrar</td>
      <td colspan="2"><input name="nUser_registrar" type="text" id="nUser_registrar" />
        *</td>
    </tr>
    <tr> 
      <td class="news_text"><input name="Usergroup" type="hidden" id="Usergroup" value="visitor" /></td>
      <td colspan="2"><input type="submit" name="Submit" value="Submit" /></td>
    </tr>
  </table>
  <input type="hidden" name="MM_insert" value="newUser_frm" />
</form>
</body> 
</html>

<?php

else:
    // Process signup submission
    dbConnect('blah');

//check required form fields are filled in. 
//If any variables are found to be empty strings, the script calls the error function 
//from common.php to tell the user what went wrong and return to the form
 if 
 ($_POST['nUser_firstname']=='' or $_POST['nUser_lastname']=='' 
     or $_POST['nUser_org']=='' or $_POST['nUser_email']==''
	 or $_POST['nUser_address']=='' or $_POST['nUser_postcode']=='' 
	 or $_POST['nUser_registrar']=='') { 
       error('One or more required fields were left blank.\\n'. 
             'Please fill them in and try again.'); 
   }
// Check for existing user with the new id 
   $sql = "SELECT COUNT(*) FROM users WHERE Email = '$_POST[nUser_email]'"; 
   $result = mysql_query($sql); 
   if (!$result) { 
       error('A database error occurred in processing your '. 
             'submission.\\nIf this error persists, please '. 
             'contact [email]blah@blah.com[/email].'); 
   } 
   if (@mysql_result($result,0,0)>0) { 
       error('A user already exists with your chosen username (email).\\n'. 
             'Please try another.'); 
   }
   //The "$newpass" code below generates a random password string to send to new user's email (validates the email-username)
   //This works by taking the current time and performing 
   //an MD5 hash on it. This is basically a one-way cryptographic encoding into a text string, 
   //which is then chopped to 6 characters using the substr function. 
   //The result is a 6-character password that would be fairly difficult to guess.

$newpass = substr(md5(time()),0,6);

 $sql = "INSERT INTO users SET 
         Firstname = '$_POST[nUser_firstname]',
		 Lastname = '$_POST[nUser_lastname]',
         Organisation = '$_POST[nUser_org]',
		 Email = '$_POST[nUser_email]', 
         Password = PASSWORD('$newpass'), 
         Address = '$_POST[nUser_address]',
		 Postcode = '$_POST[nUser_postcode]',
		 Registrar = '$_POST[nUser_registrar]',
		 Usergroup = '$_POST[Usergroup]',"; 

   if (!mysql_query($sql)) 
       error('A database error occurred in processing your '. 
             'submission.\\nIf this error persists, please '. 
             'contact [email]blah@blah.com[/email].');

  // Email the new password to the person. 
   $message = "We Welcome our Newest Member! 

Your personal account for the Members Web Site 
has been created! To log in, proceed to the 
following address: 

   [url]http://www.blah.com/members.php[/url] 

Your personal login ID and password are as 
follows: 

   username: $_POST[nUser_email] 
   password: $newpass 

You aren't stuck with this password! Your can 
change it at any time after you have logged in. 

If you have any problems, feel free to contact me at 
<blah@blah.com>. 

-blah balh
"; 

   mail($_POST['nUser_email'],"Your Password for MEMBERS Website", 
        $message, "From:blah <blah@blah.com>");
?>
   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
   <html xmlns="http://www.w3.org/1999/xhtml"> 
   <head> 
     <title> Registration Complete </title> 
     <meta http-equiv="Content-Type" 
       content="text/html; charset=iso-8859-1" /> 
   </head> 
   <body> 
   <p><strong>User registration successful!</strong></p> 
   <p>Your userid and password have been emailed to 
      <strong><?=$_POST[nUser_email]?></strong>, the email address 
      you just provided in your registration form. To log in, 
      click <a href="login.php">here</a> to return to the login 
      page, and enter your new personal userid and password.</p> 
   </body> 
   </html> 
   <?php 
endif; 
?>

trufla

OK, I've seen my first silly mistake!

trufla

OK I got rid of "Forbidden"

but the "The site database is unavailable." string is returned
from db.php.

There must be a problem with the name of the database.

(Please excuse the incessant posting, but as a noob, it helps to type it out. When I attempt to word the problem for someone else it helps me to see a possible answer.)

trufla

Well, it seems I have database connection, insertion etc problems, because I kepp getting messages from the db.php file.

I also get "one or more of the fields was left blank".

UUUMMMMMmmmmmm. Interesting!

trufla

OK, that seems to be rectified but I definately have a problem database wise:
I get this 'A database error occurred in processing your '.
'submission.\nIf this error persists, please '.

// Check for existing user with the new id 
   $sql = "SELECT COUNT(*) FROM users WHERE Email = '$_POST[nUser_email]'"; 
   $result = mysql_query($sql); 
   if (!$result) { 
       error('A database error occurred in processing your '. 
             'submission.\\nIf this error persists, please '. 
             'contact [email]blah@blah.com[/email].'); 
   }

Any ideas?

trufla

When I enter info into the signup form the error in the code below
'A database error occurred in processing your submission. If this error persists, please contact blah@blah.com'.

I have looked at a one particular website

Which says I should specify SELECT "column_name" FROM "table_name" . I have been doing this the other way around. However when I tried the other way I got the same error.

// Check for existing user with the new id 
   $sql = "SELECT COUNT(*) FROM tablename WHERE column= '$_POST[username_textfield'"; 
   $result = mysql_query($sql); 
   if (!$result) { 
       error('A database error occurred in processing your '. 
             'submission.\\nIf this error persists, please '. 
             'contact [email]blah@blah.com[/email].'); 
   }

What am I doing wrong?

The syntax seems ok as I want to check if a user already has that email (username).

The problem could also be here:

 
$sql = "INSERT INTO users  

	         Firstname = '$_POST[nUser_firstname]',
			 Lastname = '$_POST[nUser_lastname]',
             Organisation = '$_POST[nUser_org]',
			 Email = '$_POST[nUser_email]', 
             Password = PASSWORD('$newpass'), 
             Address = '$_POST[nUser_address]',
			 Postcode = '$_POST[nUser_postcode]',
			 Registrar = '$_POST[nUser_registrar]',
			 Usergroup = '$_POST[Usergroup]',"; 

   if (!mysql_query($sql)) 
       error('A database error occurred in processing your '. 
             'submission.\\nIf this error persists, please '. 
             'contact [email]blah@blah.com[/email].');

Can anyone see what I am doing wrong?

trufla

$sql = "INSERT INTO users SET
	         Firstname = '$_POST[nUser_firstname]',
			 Lastname = '$_POST[nUser_lastname]',
             Organisation = '$_POST[nUser_org]',
			 Email = '$_POST[nUser_email]', 
             Password = PASSWORD('$newpass'), 
             Address1 = '$_POST[nUser_address]',
			 Postcode = '$_POST[nUser_postcode]',
			 Registrar = '$_POST[nUser_registrar]',
			 Usergroup = '$_POST[Usergroup]',"; 

   if (!mysql_query($sql)) 
       error('A database error occurred in processing your '. 
             'submission.\\nIf this error persists, please '. 
             'contact [email]blah@blah.com[/email].');

Roger_Ramjet

Originally posted by trufla

$sql = "INSERT INTO users SET
	         Firstname = '$_POST[nUser_firstname]',
			 Lastname = '$_POST[nUser_lastname]',
             Organisation = '$_POST[nUser_org]',
			 Email = '$_POST[nUser_email]', 
             Password = PASSWORD('$newpass'), 
             Address1 = '$_POST[nUser_address]',
			 Postcode = '$_POST[nUser_postcode]',
			 Registrar = '$_POST[nUser_registrar]',
			 Usergroup = '$_POST[Usergroup]' "; 

   if (!mysql_query($sql)) 
       error('A database error occurred in processing your '. 
             'submission.\\nIf this error persists, please '. 
             'contact [email]blah@blah.com[/email].');

Loose the comma at the end of your query; db is expecting more fields when it sees that.

trufla

Thanks Roger, that helped! Unfortunately I have hit on yet another snag:

I was originally using mail() but it returned an error

Warning: mail(): Failed to connect to mailserver at "localhost" port 25, verify your "SMTP" and "smtp_port" setting in php.ini or use ini_set() in c:\easyphp1-7\www\folder\tmp3j8ej2mzzd.php on line 151.

I opened the php.ini and my settings were as follows:

[mail function]
; For Win32 only.
SMTP = localhost

; For Win32 only.
sendmail_from = me@localhost.com

I didn't know what to change them to so I substitued mail() for ini_set()

Code:

ini_set ($_POST['nUser_email'],"Your Password for the MEMBERS Website",
$message, "From:trufla<tru@fla.com>");
?>

Got this error:

Warning: Wrong parameter count for ini_set() in c:\easyphp1-7\www\folder\tmp3doyu2mzs6.php on line 152

Can someone either tell me what my php.ini settings should be or what I should do with the ini_set() please.

trufla

Another thing I have noticed is that when I enter login details in "accesscontrol - log in required" the session variables are not stored in the /tmp folder.

How have I coded it wrong? Why are the session variables not being stored?

Roger_Ramjet

Yes. That is the point. Session vars are stored server-side, and available throughout the session via the array $_SESSION. Read this http://www.acros.si/papers/session_fixation.pdf and this http://www.sitepoint.com/print/write-secure-scripts-php-4-2 and this http://www.sitepoint.com/print/users-php-sessions-mysql to understand why.

trufla

Surely they are stored in the tmp folder in www, as I am testing locally at the moment.

I ran some other code for a login to store variables and they were saved to /tmp.

<?php require_once('Connections/XXXXdb.php'); ?>
<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['usernameEmail'])) {
  $loginUsername=$_POST['usernameEmail'];
  $password=$_POST['pwd'];
  $MM_fldUserAuthorization = "Usergroup";
  $MM_redirectLoginSuccess = "login_successful.php";
  $MM_redirectLoginFailed = "login_failed.php";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_XXXXdb, $XXXXdb);

  $LoginRS__query=sprintf("SELECT Email, Password, Usergroup FROM users WHERE Email='%s' AND Password='%s'",
  get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password) ,
  get_magic_quotes_gpc() ? $loginStrGroup  : addslashes($loginStrGroup)); 

  $LoginRS = mysql_query($LoginRS__query, $XXXXdb) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {

$loginStrGroup  = mysql_result($LoginRS,0,'Usergroup');

   //register the session variables
   $_SESSION["MM_username"]=$loginUsername;
   $_SESSION["MM_password"]= $password;
   $_SESSION["MM_userGroup"]= $loginStrGroup;

if (isset($_SESSION['PrevUrl']) && true) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
}
header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

Session was stored as:

MM_username|s:19:"trufla@trufla.co.uk";MM_password|s:8:"beagle";MM_userGroup|s:5:"admin";