Modifying secure area authentication

WillJohnson1234

Hello,

Can somebody help me with this script?

I have a registration form that provides an option for three different program types:
BMUS, MASTERS, and DMA. What I would like to do is use an existing (fully functional) login script that points a user to their respective 'private' area:

For example:

BMUS = private1.php
MASTERS = private2.php
DMA = private3.php

At the top of each of these pages there is a "require_once" script that points to this authorzation.php script:

<?php
	//Start session
	session_start();
	//Check whether the session variable
	//SESS_MEMBER_ID is present or not
	if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='') ) {
		header("location: denied.php");
		exit();
	}
?>

So.. After the user has successfully registered, and then logged in, they will go to one of the private pages.

The problem:

BMUS students (users) can see MASTERS, or DMA pages (private2.php and private3.php) when they should only be able to see the BMUS page (private1.php)

This is the login script that is used after a successful registration:

<?php

$qry="SELECT member_id, location FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
	$result=mysql_query($qry);
	//Check whether the query was successful or not 
	if($result) {
		if(mysql_num_rows($result)>0) {
			//Login Successful
			session_regenerate_id();
			$member=mysql_fetch_assoc($result);
			$_SESSION['SESS_MEMBER_ID']=$member['member_id'];
			session_write_close();
			switch ($member['location']) 
			{
				case "private1.php":
					header("location: private1.php");
					$_SESSION['page_allowed']="private1.php";
					break;
				case "private2.php":
					header("location: private2.php");
					$_SESSION['page_allowed']="private2.php";
					break;
				case "private3.php":
					header("location: private3.php");
					$_SESSION['page_allowed']="private3.php";
					break;	
				default:
					header("location: failed.php");
					break;

		}
		//end new code
		exit();

	}else {
		//Login failed
		header("location: failed.php");
		exit();
	}
}else {
	die("Query failed");
}
?>

Please note the $_SESSION['page_allowed']="private1.php"; part of the case structure.

How can I add the "page_allowed" function to each of the private pages so only their respective page can be accessed? I think there needs to be a concatenated string added to the authorization.php script but I'm not sure.

I hope that's clear! Thank you kindly for your time.

jkurrle

I assume you have a database back-end to keep track of everyone? I see it as simply a matter of database tables. One table to keep track of the pages and what group they belong to, a second table for login IDs and what group the people belong to. When a person authenticates, they are assigned a session variable that carries with them through every page.

To keep things simple and elegant, create a php page header that is called by every page to handle the authentication. The page header does the authentication function and if the user's authentication doesn't match the page's authentication, the user is booted out without seeing the page.

Does this make sense?

WillJohnson1234

Hi,

Thanks for the quick reply!

Yes, I do have a MySQL back-end. But it only has one table at the moment. And each user has a specific page they are allowed to view when they register.

As I said, this code works because it creates a session allowing the users to view any of the pages:

<?php
	//Start session
	session_start();
	//Check whether the session variable
	//SESS_MEMBER_ID is present or not
	if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='') ) {
		header("location: denied.php");
		exit();
	}
?>

But what this code does NOT do is restrict the user from going to any of the other pages (have a look at the case statement posted earlier).

All I need to do (i think) is add a $_SESSION['page_allowed']="private1.php"; bit to the code above. This would make that user only allowed to see the private1.php page (or the corresponding private page when they log in).

Make sense? I hope so! Simply concatenating the above string to the above authorization script does not yet work.

Thanks,
W

jkurrle

If you are going to have the pages grouped as private1, 2, or 3, simply make an extra column in the user table and have it list 1, 2, or 3. When the person loads the page, the header checks which group the page is in, then checks to see what group the person is in. If there's a match, show the page. Otherwise kick them out. Simple if() statement, no switch/case...

WillJohnson1234

Can you suggest an appropriate "if" statement? I'm a little new to PHP and can't quite figure out how to do it.

In my database there already is a field called "location" which holds the value for private 1, 2 or 3. What do you suggest as a PHP header (verifier) for each of those pages?

jkurrle

Ok, here's an example:

First table is called "page_security" and contains the following entries
Page_Number - Page_Name - Page_Security
1 - private1.php - 1
2 - private2.php - 2
3 - private3.php - 3

Second table is called "user_security" and contains the following entries
User_Number Login_ID User_Security
1 - Adam - 1
2 - Bill - 2

3 - Charles - 3

Now, the fun begins. When a user logs in, the table is queried.

session_start();
$connection=mysql_connect($server,$user,$pw)
  or die("Error connecting to server");
$db=mysql_select_db($db,$connection)
  or die("Error Selecting Database");
$select="select User_Security from user_security where Login_ID=\"$passed_login\" ";
$result=mysql_query($select)
  or die("Error selecting from table");
mysql_close($connection);
if($result!="")
  {
  $row=mysql_fetch_array($result,MYSQL_ASSOC);
  extract($row); // Creates $User_Security variable
  }
$_SESSION['User_Security']=$User_Security;

Next, every page has a php header included that looks something like this:

session_start();
$connection=mysql_connect($server,$user,$pw)
  or die("Error connecting to server");
$db=mysql_select_db($db,$connection)
  or die("Error Selecting Database");

$MY_PAGE=$_SERVER['PHP_SELF'];
$explode_array=explode("/",$MY_PAGE); //separates on the slashes
$MY_PAGE=array_pop($explode_array); //Take the last one.  That's the page

$select="select Page_Security from page_security where Page_Name=\"$MY_PAGE\" ";
$result=mysql_query($select)
  or die("Error selecting from table");
if ($result!="")
  {
  $row=mysql_fetch_array($result, MYSQL_ASSOC);
  extract($row); // Creates $Page_Security variable
  }
mysql_close($connection);

//Now for the test...
if($_SESSION['User_Security']!=$Page_Security || $Page_Security=="")
  {
  header("Location: /denied.php"); // kick them out
  exit;
  }
// No need for an else statement, you're good.

This is a crude example, but it illustrates my point.

WillJohnson1234

Hi JKurrle,

Thank you very much for the code you offered. I am wondering if you would be willing to help me simplify it?

I like the idea of having two separate tables for users and page securities, but would prefer to just keep it all in one table (only for this project! - your design is clearly better).

So, my table has the following fields

member_id (auto_increment, primary key)
first name
last name
location (page_allowed) ex. "private1.php"
email
login (user name)
passwd (user's password stored encrypted .MD5 hash)

With only one table based on the structure above, can you help me re-write your code to make it work?

Thanks again, and sorry for the late response.

jkurrle

Working off of one table is possible, but it restricts the logged in user to only one page, as opposed to a number of pages that share the same security. The one table example is going to seriously hinder adding additional pages for logged in users in the future. Nevertheless, here is an example:

First set of code will be modified slightly, returning the logged in member_id and login (dual check for better security).

session_start();
$connection=mysql_connect($server,$user,$pw)
  or die("Error connecting to server");
$db=mysql_select_db($db,$connection)
  or die("Error Selecting Database");
$select="select member_id from security_table where Login_ID=\"$passed_login\" ";
$result=mysql_query($select)
  or die("Error selecting from table");
mysql_close($connection);
if($result!="")
  {
  $row=mysql_fetch_array($result,MYSQL_ASSOC);
  extract($row); // Creates $member_id variable
  }
$_SESSION['login']=$passed_login; 
$_SESSION['member_id']=$member_id;

The second part (page header) will check itself and query the table to see if it is allowed to display.

session_start();
$connection=mysql_connect($server,$user,$pw)
  or die("Error connecting to server");
$db=mysql_select_db($db,$connection)
  or die("Error Selecting Database");

$MY_PAGE=$_SERVER['PHP_SELF'];
$explode_array=explode("/",$MY_PAGE); //separates on the slashes
$MY_PAGE_TEMP=array_pop($explode_array); //Take the last one.  That's the page
$explode_array=explode("?",$MY_PAGE_TEMP); //Strips any data parsed on the end of the URL
$MY_PAGE=array_unshift($explode_array); //This is the page without any data added to the end

$select="select location from security_table 
  where member_id=\"".$_SESSION['member_id']."\" 
  and login=\"".$_SESSION['login']."\" "; //dual check
$result=mysql_query($select)
  or die("Error selecting from table");
if ($result!="")
  {
  $row=mysql_fetch_array($result, MYSQL_ASSOC);
  extract($row); // Creates $location variable
  }
mysql_close($connection);

//Now for the test...
if($location!=$MY_PAGE || $location=="")
  {
  header("Location: /denied.php"); // kick them out
  exit;
  }
// No need for an else statement, you're good.

This ought to pretty much work.

WillJohnson1234

That's an excellent point. Perhaps I should reconsider the one table structure.

Although....

What if a new page area for a restricted private page (private1.php for example) can be accessed by using a different type of redirect? for example:

Instead of private1.php being the only private page for user "john", his whole area can stem from that page. So if there is more content for the private1.php page, the URL would read:

private1.php?page=2

You know what I mean? I apologize if that looks really simple and basic. I'm new to PHP! I think that this method would still allow the one session to allow multiple pages within the same URL.

Hopefully what I just wrote actually makes sense.

Thanks, JKurrle!

jkurrle

Well, you are just making it more and more complicated, then. Now, your private1.php not only has the header, but the entire HTML code will need to be converted to work within a series of echo statements, governed by a switch/case structure. Is it doable? Yes. Is it worth doing? Only if you are a masochist.

WillJohnson1234

point taken! Thanks JKurrle for the advice 🙂

Best,
W