Shared Network allowing multiple logins

swatisonee

Hi,

I'm in a big mess. We have a lan at work and internet access is shared using winproxy.

I just discovered that if a person has logged in , another person who opens up index.php gets to view the first persons page !

I dont know if this is because of the shared net connection or whether its a flaw in the script.

Also, if one person has logged in, another person having access to the u/n and p/w can log in to the account at the same time. Clearly, my login.php and index.php are flawed and I would appreciate if someone can help guide me on how I should change it.

Thanks.Swati

Login.php

<H3><p><p align="center">Login to access your webpage:<P>
<FORM METHOD=post ACTION="<? echo $PHP_SELF ?>?action=login">
<p><p><p>
<B><table cellspacing="5" BORDERCOLORLIGHT = "#FFFF00" BORDERCOLORDARK = "#FFFF00"  bgcolor="#003498" align="center" border="8" >
<tr align="left"><td><font color="yellow" size="3" face="Tahoma"> User Name:</td><td>
<INPUT TYPE=text SIZE=30 NAME=loginname></td>
<td><font color="yellow" size="3" face="Tahoma"> Password:</td><td>
<INPUT TYPE=password SIZE=30 NAME=password></td></tr></table>
</center>    <br>
<p align="center"><INPUT TYPE=submit VALUE="Sign In"> </p>

</FORM>

   </tr>
</table>

Index.php


<?include("protect.php") ; ?>
<?php

mysql_connect("localhost", $dbname, $dbpasswd )
    	or die ("Unable to connect to server.");

mysql_select_db($database)
    	or die ("Unable to select database.");

$sql = "SELECT *
    	FROM users
    	WHERE (username='$logincookie[user]' or username='$loginname') and (md5(password)='$logincookie[pwd]' or password='$password')";

$result = mysql_query($sql)
    	or die ("Unable to get results.");


printf("<font face=\"Verdana\" size=\"4\"><font color=\"blue\">Welcome <b>%s %s</b>", mysql_result($result,0,"firstname"), mysql_result($result,0,"lastname") );


if (mysql_result($result,0,"type") == 'Sales')
{
$uid=mysql_result($result,0,"uid"); 
printf("<p><a href=sales.php?uid=$uid>Click here to proceed to your options</a>");
}

if (mysql_result($result,0,"type") == 'Finance')
{
$uid=mysql_result($result,0,"uid"); 
printf("<p><a href=finance.php?uid=$uid>Click here to proceed to your options</a>");

}
<p><p><br>
<font face="Verdana" size="2">Make sure you sign out once you have completed your visit to the site.<br><b>
<A HREF="<? echo $PHP_SELF ?>?action=logout">Sign Out</A></b><br><br>



</td>
    </tr>
  </table>

Protect.php

<?

// This is the page to show when the user has been logged out
$logout_page = "logout.php";

$dbname = "x";
$dbpasswd = "y";
$database = "z";


// Page with login form
$login_page = "login.php";

// Page to show if the user enters an invalid login name or password
$invalidlogin_page = "invalidlogin.php";

if ($action == "logout")
{
	Setcookie("logincookie[pwd]","",time() - 3600);
	Setcookie("logincookie[user]","",time() - 3600);
	include($logout_page);
	exit;
}
else if ($action == "login")
{
	if (($loginname == "") || ($password == ""))
	{
		include($invalidlogin_page);
		exit;
	}

mysql_connect("localhost", $dbname, $dbpasswd )
    	or die ("Unable to connect to server.");

mysql_select_db($database)
    	or die ("Unable to select database.");

$sql = "SELECT * FROM users WHERE username='$loginname' ";

$result = mysql_query($sql)
    	or die ("Unable to get results.");

$myrow = mysql_fetch_array($result);

if (strcmp($myrow["password"],$password) == 0)
{
	Setcookie("logincookie[pwd]",md5($password),time() + 3600);
	Setcookie("logincookie[user]",$loginname,time() + 3600);
}
else
{
	include($invalidlogin_page);
	exit;
}
}
else
{
	if (($logincookie[pwd] == "") || ($logincookie[user] == ""))
	{
		include($login_page);
		exit;
	}

mysql_connect("localhost",$dbname, $dbpasswd  )
    	or die ("Unable to connect to server.");

mysql_select_db($database)
    	or die ("Unable to select database.");

$sql = "SELECT * FROM users WHERE username='$logincookie[user]' ";

$result = mysql_query($sql)
    	or die ("Unable to get results.");

$myrow = mysql_fetch_array($result);

if (strcmp(md5($myrow["password"]),$logincookie[pwd]) == 0)
{
	Setcookie("logincookie[pwd]",$logincookie[pwd],time() + 3600);
	Setcookie("logincookie[user]",$logincookie[user],time() + 3600);
}
else
{
	include($invalidlogin_page);
	exit;
}
}
?>

<?php
function calculatedate($inputdate)
{
$inputdate_parts = explode('-', $inputdate);

if ($inputdate_parts[1]==00 && $inputdate_parts[2]==00 && $inputdate_parts[0]==0000)
return ' ';

// Calculating the UNIX Timestamp for both dates
$x = mktime(0, 0, 0, $inputdate_parts[1], $inputdate_parts[2], $inputdate_parts[0]);

$outputdate = date('d.m.y', $x);

return $outputdate;
}
?>

Plasma

Indeed that is a mess, perhaps consider starting over? 🙂

I notice a few flaws with your login script:
* The query to check if a username and password are valid is dodgy, as you allow for two possibilities for username and password alike. Decide on a format your going to be comparing the passwords to (if you have them as plaintext, thats bad - use a hash like md5 or sha1). Plaintext passwords in a database are bad.

Does not appear to be a login script at all. All it appears to do is (if successful 'login') the user is taken to a page with their userid in the get string. That means I can just wack that number in there instead of logging in in the first place.

Look into sessions to keep a user logged in over a website, or google 'simple user authentication with php' or something to help you replace your current stuff.

I wouldnt try hacking at it anymore to fix it, it needs replacement - imo.

swatisonee

Thats what I was afraid of !

I inherited this db so am too scared to make login changes for fear of what i might messup !

Is there a quick fix solution to getting over the problem of 1 user getting anothers login page that I can set up while i work my way thru overhauling everything ?

Thats my most critical reqt. now. due to the internet connection (and hence ip) being shared by multiple users.

Thanks !

bogu

Login into a site has nothing to do with internet connection or something because even in a lan connection all the computers are diferent by ip or by name ...

Every time u start a project using a login try to find the best login script, so the best solution is backup the project and start working on a good login script, dont make stuff like is user='user' and pass='pass' set a session to that one that he is ok ...

There is a bunch of scripts on the net and is a hole algorithm for a login form, not setting up a session ...

Plasma

Dont be worried about recoding it, just make a backup (better yet, use a version control system like SubVersion).

Theres no point in trying to 'quick fix' the script you posted, its horrid - best to just start clean and not give yourself a headache.

Readup / google on simple login scripts to protect pages, many have already been made for you.

swatisonee

Hello Plasma,

I googled away to find a simple login and heres what I found.

But i needed some advise before i changed over. Do I leave my login.php as it is and make these changes in the index.php file and protect.php files ( copied in the first post) ? The reason i ask is that from this script it appears to have combined what i have as 2 separate files that is login.php and index.php .

Thanks in advance, Swati

<?php 


################ 
#  Simple login session          
#  Ben M Wasley          
#  BenWConsulting.com    
################ 

function login($statment) 
    { 
print" <form action="myscript.php" method="POST">n"; 
print"<div align="center"><b>".$statment."</b></div><br />n"; 

//Your login vars user &amp;amp; password need to be passed no form tags though look above &amp;amp; below 

//Close form 
print"</form>n"; 
    } 

//Duh start the session redundant comments are funny 
session_start(); 

if(!isset($user) | !isset($password)) 
                 { 
//Login message here 

$statment = "Hi, Please login below"; 
login($statment); 
exit(); 
} 

session_register("user"); 
session_register("password"); 

//However you connect to your DB 
include("db.php"); 

$sql = mysql_query("SELECT user, password FROM users WHERE user = '$user'"); 
$result = mysql_fetch_array($sql)or die ("Doh! no DB Connection"); 
$numrows = mysql_num_rows($sql); 

if($numrows != "0" &amp; $password == $result["password"]) 
            { 
            $valid_user = 1; 
            } 
            else 
            { 
            $valid_user = 0; 
            } 
mysql_close($db); 

if (!($valid_user)) 
   { 

//Boot em!!!  IF !valid 
session_unset(); 
session_destroy(); 



//Give an error message 
$statment = "Somthing is wrong with the info you submitted.n"; 

login($statment); 

//Stop script 
exit(); 

  } 
//Include session_start(); on the top of all pages or in your header.php include 
session_start(); 

//Wecome to the the protected area!!! Put HTML, include, whatever you want here. 

//Session will end when client closes browser. 
//If you want then to have the ability to logout use: 

//     --->           session_start(); 
//     --->           session_unset(); 
//     --->           session_destroy(); 
//@ the top of any page or as a seperate script i.e logout.php 
?>