I am stuck on an authentication issue,
The Scenario is: User Logs In (with predefined password) system READS this password, if it is the predefined, it forces them to change it, otherwise ignores.
Here is what I have:
<?php
require $_SERVER['DOCUMENT_ROOT']."/include/mainfunc.inc.php";
$query = "select * from usershc";
$result = sqlquery($query); // Predefined Query Function
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
$server = parse_config("DB_TYPE");
if ($server == "MYSQL") {
while ($row = mysql_fetch_object($result)) {
if ($user == $row->username && md5($pass) == $row->password) {
$validated = 1;
$rowpass = $row->password;
}
}
} elseif ($server =="MSSQL") { // Currently Used
while ($row = mssql_fetch_object($result)) {
if ($user == $row->username && md5($pass) == $row->password) {
$validated = 1;
$rowpass = $row->password;
}
}
}
if (!$validated) { // Check for Hard Coded Master Account
$aaa = parse_config("AAA");
if ($aaa = "Y") {
$amc = parse_config("AMC");
$ama = parse_config("AMA");
$amp = parse_config("AMP");
if ($amc == "Y") {
$pass = md5($pass);
}
if ($user == "$ama" && $pass == "$amp") {
$validated = 1;
}
}
}
// Redirect to Password Change area w/ notification if password is "100abc";
$page = $_SERVER['SCRIPT_NAME'];
$page = substr($page,-12,strlen($page));
echo $rowpass;
if ($rowpass == md5("100abc") && $page != "changepw.php" && $page != "chpasswd.php" && $validated=1) {
?>
<script language="javascript">
alert('You must now create yourself a password. Click Ok to Continue to the password set')
window.location = "http://callcenter.cfmcorp.com/DEMO/Access/changepw.php"
</script>
<?php
}
if (!$validated) {
header('WWW-Authenticate: Basic realm="Restricted Area"');
header('HTTP/1.0 401 Unauthorized');
die ("HTTP/1.0 401 Unauthorized. This site requires a username and password for access.<br><br>If you have forgotten your password, please contact your supervisor.");
}
?>
It works fabulous at first, if the user has the default password, it brings them to the password change script.
The only problem is, AFTER I have changed a password and click a link (to another file) it still brings up this one more time, then pops up with the User/Password Request (which is MORE than fine), but it still forces it over to the change password again!
Not all users are technically inclined and it may send them into a few password changes that are not needed.
Any help would be apreciated!
big.nerd (Mike)
