[Resolved] Dreamweaver User Authentication Behavior on Mac OS X

antinomia

Hello all-

A friend referred me here, looks like a nice community. I have been using PHP software for a while, but just started coding recently. I am using Dreamweaver MX 2004 on my Mac, using a local Apache test server running Mark Liyanage's PHP binary and MySQL.

Dreamweaver has some nice features integrated to write code for user authentication and a number of other "server behaviors." When I use the "log in user" behavior, Dreamweaver generates the following code:

<?php require_once('Connections/Recipes.php'); ?>
<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['UserName'])) {
  $loginUsername=$_POST['UserName'];
  $password=$_POST['Password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "protected.php";
  $MM_redirectLoginFailed = "login.php?failed=true";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_Recipes, $Recipes);

  $LoginRS__query=sprintf("SELECT UserName, UserPassword FROM users WHERE UserName='%s' AND UserPassword='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 

  $LoginRS = mysql_query($LoginRS__query, $Recipes) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";

//declare two session variables and assign them
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;	      

//register the session variables
session_register("MM_Username");
session_register("MM_UserGroup");

if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
}
header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

This all seems to work great. If I enter a valid username/password combination, I am redirected to protected.php. However, as soon as I use Dreamweaver's "restrict access to page" behavior on protected.php it ALWAYS redirects me back to login.php, as if I hadn't been authenitcated. The code Dreamweaver wrote for protected.php is this:

<?php require_once('Connections/Recipes.php'); ?>
<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['UserName'])) {
  $loginUsername=$_POST['UserName'];
  $password=$_POST['Password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "protected.php";
  $MM_redirectLoginFailed = "login.php?failed=true";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_Recipes, $Recipes);

  $LoginRS__query=sprintf("SELECT UserName, UserPassword FROM users WHERE UserName='%s' AND UserPassword='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 

  $LoginRS = mysql_query($LoginRS__query, $Recipes) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";

//declare two session variables and assign them
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;	      

//register the session variables
session_register("MM_Username");
session_register("MM_UserGroup");

if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
}
header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

What's funny is that as soon as I move the site to the production server, this code works just fine. So I'm thinking it's something in my PHP configuration maybe? I've spent hours trying to figure this out and I'm growing very impatient. I'm sure it's something simple, has anybody else had problems like this?

Thank much,
Matt

Weedpacket

What version of PHP are you using? If it's 4.2 or later, then Dreamweaver's code will fail on a default PHP configuration, because it's using deprecated session-handling functions [man]session_register[/man] etc.. You can reconfigure PHP by turning register_globals ON in php.ini (and if that's what your host is using you might as well do so); but it was turned off by default for security reasons.

Ironically, it's using session_register() and $SESSION - something that the PHP manual explicitly warns against using together (the $SESSION array is intended to replace use of session_register()), and not only that, but storing some of those session variables in the $GLOBAL array (which is daft, because $_SESSION is global anyway).

I'd estimate that Dreamweaver is coding on the assumption that you're using PHP 4.1 (it's using constructs that were not present in 4.0, and as noted it's assuming that register_globals is turned on, though it's not in 4.2). Possibly there's a switch in Dreamweaver that will change that behaviour (I don't use it; and judging from that code I'm kinda glad I don't).

It may be possible to salvage the code with altering your configuration (while still having it run on your host). Ditch the session_register() calls,
using $_SESSION['whatever'] in places where a session variable named $whatever
is being used, and they don't need to be declared global. For example, instead
of

//declare two session variables and assign them
    $GLOBALS['MM_Username'] = $loginUsername;
    $GLOBALS['MM_UserGroup'] = $loginStrGroup;	      

//register the session variables
session_register("MM_Username");
session_register("MM_UserGroup");

You would have

//Assign two session variables.
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;

I've just noticed something else.

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );

"&& false"? As I said, I don't know why Dreamweaver writes what it does (so I don't know what you'd tickle to change this), but if(anything && false) is guaranteed to fail. So $MM_redirectLoginSuccess never gets set to $_SESSION['PrevUrl'], and just keeps whatever value it already had.

Oh, and one more thing. echoing the value of mysql_error() when there is an error is valuable when development, but it should never be used in a real live site as all it does is provide attackers with information that helps them debug their attacks (the same goes for PHP's own errors: display_errors=off in php.ini for live sites, please!)

And don't mind me much; I'm the grumpy one.

antinomia

Well this is all a little bit disappointing, I figured Dreamweaver would write some pretty clean and proper code. But, register_globals indeed needs to be enabled to make Dreamweaver's behaviors work for me.

Ironically, it's using session_register() and $SESSION - something that the PHP manual explicitly warns against using together (the $SESSION array is intended to replace use of session_register()), and not only that, but storing some of those session variables in the $GLOBAL array (which is daft, because $_SESSION is global anyway).

Guess they're more concerned about Cold Fusion and ASP that getting the open-source stuff right. :queasy:

Possibly there's a switch in Dreamweaver that will change that behaviour (I don't use it; and judging from that code I'm kinda glad I don't).

I was unable to find any switch to make the code 4.3.x compliant. Judging from your response I might just sell this book (which looked AWESOME at first), ditch Dreamweaver (at least for it's integrated PHP code) and start coding by hand!!!

There are just too many things wrong here to use this as a starting point. I'll just begin again from scratch... 🙂

Thank you very much for your advice!

-Matt