Authorization problems: works in IE but not Firefox

tryin_to_learn

Hi,

I'm trying to get an authorization for a CMS to work -- it works fine in IE, but not in Firefox.

What I have is a form on a page called index.html that goes to a home admin page called indexA.php:


<form action="indexA.php" method="post" name="login" onsubmit="MM_validateForm('username','','R');return document.MM_returnValue">

Once you get past the login, all pages in the admin section (including indexA.php) have the authorization code below in an include:

<?

require_once("/www/s/shrinkartcom/htdocs/susan/school/php/cms/classes/config.php");
require_once("/www/s/shrinkartcom/htdocs/susan/school/php/cms/classes/MySQL.php");
require_once("/www/s/shrinkartcom/htdocs/susan/school/php/cms/classes/Session.php");
require_once("/www/s/shrinkartcom/htdocs/susan/school/php/cms/classes/Auth.php");


$db = &new MySQL(DBHOST, DBUSER, DBPASS, DBNAME);


// Authenticate user or check valid access

$auth = &new Auth($db, "http://shrink-art.com/susan/school/php/cms/admin/index.html", "zonkers", false);


// Log out

if(isset($_GET['action']) and $_GET['action'] == "logout"){
    $auth->logout();
}


?>

What happens is that you log into the HTML form and it accesses indexA.php like you'd expect. However, when you click on any link on indexA, instead of going to the new page, it kicks you back to index.html (the form). You can log in again and once again, it'll go to indexA.php. However, if you do a view source on indexA.php, the code that shows up is index.html. This only happens in Firefox -- it works fine in IE.

Anyone have any ideas about what might be happening? I'm totally stumped.

Thanks,
Susan

dalecosp

Hrmm. One thing you might do is search the boards for "works in IE not Firefox". Of course, you may have doen that already. Occasionally we see posts that have that cue line in them, and perhaps one of them would help out.

That said, I'm kind of interested in seeing the "Auth.php" class. But that could be a wild goose to chase. If it's really working on one browser and not the other, it could very well be the javascript. You might try taking out the JS validation and see if it works with just a straight POST....

tryin_to_learn

I thought it might be the JavaScript, too, but I tried taking that out and it didn't help. Here's the Auth.php class I'm using -- I'm wondering if it's something in the redirect function?

<?php
/**
* @package SPLIB
* @version $Id: Auth.php,v 1.7 2003/12/09 06:06:13 kevin Exp $
*/
/**
* Constants to modify behaviour of Auth Class
*/
# Modify these constants to match the $_POST variable used in login form
// Name to use for login variable e.g. $_POST['login']
@define ( 'USER_LOGIN_VAR','username');
// Name to use for password variable e.g. $_POST['password']
@define ( 'USER_PASSW_VAR','password');

# Modify these constants to match your user login table
// Name of users table
@define ( 'USER_TABLE','access');
// Name of login column in table
@define ( 'USER_TABLE_LOGIN','username');
// Name of password column in table
@define ( 'USER_TABLE_PASSW','password');
/**
* Authentication class<br />
* Automatically authenticates users on construction<br />
* <b>Note:</b> requires the Session/Session class be available
* @access public
* @package SPLIB
*/
class Auth {
    /**
    * Instance of database connection class
    * @access private
    * @var object
    */
    var $db;
    /**
    * Instance of Session class
    * @access private
    * @var Session
    */
    var $session;
    /**
    * Url to re-direct to in not authenticated
    * @access private
    * @var string
    */
    var $redirect;
    /**
    * String to use when making hash of username and password
    * @access private
    * @var string
    */
    var $hashKey;
    /**
    * Are passwords being encrypted
    * @access private
    * @var boolean
    */
    var $md5;
    /**
    * Auth constructor
    * Checks for valid user automatically
    * @param object database connection
    * @param string URL to redirect to on failed login
    * @param string key to use when making hash of username and password
    * @param boolean if passwords are md5 encrypted in database (optional)
    * @access public
    */
    function Auth ( & $db, $redirect, $hashKey, $md5=true ) {
        $this->db=& $db;
        $this->redirect=$redirect;
        $this->hashKey=$hashKey;
        $this->md5=$md5;
        $this->session=& new Session();
        $this->login();
    }
    /**
    * Checks username and password against database
    * @return void
    * @access private
    */
    function login() {
        // See if we have values already stored in the session
        if ( $this->session->get('login_hash') ) {
            $this->confirmAuth();
            return;
        }

    // If this is a fresh login, check $_POST variables
    if ( !isset($_POST[USER_LOGIN_VAR]) ||
            !isset($_POST[USER_PASSW_VAR]) ) {
        $this->redirect();
    }

    if ( $this->md5 )
        $password=md5($_POST[USER_PASSW_VAR]);
    else
        $password=$_POST[USER_PASSW_VAR];

    // Escape the variables for the query
    $login=mysql_escape_string($_POST[USER_LOGIN_VAR]);
    $password=mysql_escape_string($password);

    // Query to count number of users with this combination
    $sql="SELECT COUNT(*) AS num_users
            FROM ".USER_TABLE."
            WHERE ".USER_TABLE_LOGIN."='".$login."'
            AND ".USER_TABLE_PASSW."='".$password."'";

    $result=$this->db->query($sql);
    $row=$result->fetch();

    // If there isn't is exactly one entry, redirect
    if ( $row['num_users']!=1 )
        $this->redirect();
    // Else is a valid user; set the session variables
    else
        $this->storeAuth($login,$password);
}
/**
* Sets the session variables after a successful login
* @return void
* @access protected
*/
function storeAuth($login,$password) {
    $this->session->set(USER_LOGIN_VAR,$login);
    $this->session->set(USER_PASSW_VAR,$password);
    // Create a session variable to use to confirm sessions
    $hashKey = md5($this->hashKey.$login.$password);
    $this->session->set('login_hash',$hashKey);
}
/**
* Confirms that an existing login is still valid
* @return void
* @access private
*/
function confirmAuth() {
    $login=$this->session->get(USER_LOGIN_VAR);
    $password=$this->session->get(USER_PASSW_VAR);
    $hashKey=$this->session->get('login_hash');
    if (md5($this->hashKey.$login.$password) != $hashKey ) {
        $this->logout(true);
    }
}
/**
* Logs the user out
* @param boolean Parameter to pass on to Auth::redirect() (optional)
* @return void
* @access public
*/
function logout ($from=false) {
    $this->session->del(USER_LOGIN_VAR);
    $this->session->del(USER_PASSW_VAR);
    $this->session->del('login_hash');
    $this->redirect($from);
}
/**
* Redirects browser and terminates script execution
* @param boolean adverstise URL where this user came from (optional)
* @return void
* @access private
*/
function redirect($from=true) {
    if ( $from ) {
        header ( 'Location: '.$this->redirect.'?from='.
            $_SERVER['REQUEST_URI'] );
    } else {
        header ( 'Location: '.$this->redirect );
    }
    exit();
}
}
?>