auth and sess

hometoast

ok. I've written a version of phplib's authorization using its mysql database class and its challenge/crypt auth. (rewriting it was the only way I could figure out what was happening in there - plus phplib was not working at all for me).
The authorization works fine once but on subsequent page loads the login for shows again, but retain the session id.

thank you.
dan

Here is my code:

####################################
myauth.php
####################################
function ShowLogin() {
if (!isset($pagename)) {
$pagename = $PHP_SELF;
}
include 'mylogin.php';
}
//global $HTTP_POST_VARS;
$challenge = "ScoobyDooby-doo";
$authdb = new DB;
//session_start();

if ((($HTTP_COOKIE_VARS["AuthHash"] != md5($dbuser.$dbpass)) || $REMOTE_ADDR != $StoredIP)) {
session_unregister($dbuser);
session_unregister($dbpass);
session_unregister($StoredIP);
session_unregister($dbperms);
if (empty($formuser)) {
$state="no formuser var";
ShowLogin();
die();
} else {
$sql="SELECT * FROM Users WHERE webusername='$formuser';";
$authdb->Query($sql);
while($authdb->next_record()) {
$dbuser = $authdb->f("webusername");
$dbpass = $authdb->f("webuserpwhash");
$dbperms = $authdb->f("perms");
}
if (empty($dbuser)) {
$state="no user on record";
ShowLogin();
die();
}
$neededresponse=md5($dbuser.":".$dbpass.":".$challenge);
if (empty($HTTP_POST_VARS["response"])) { // no java
$formresponse = md5($HTTP_POST_VARS["formuser"].":".$HTTP_POST_VARS["formpw"].":".$challenge);
} else {
$formresponse = $HTTP_POST_VARS["response"];
}
if ($neededresponse == $formresponse) {
$StoredIP = $REMOTE_ADDR;
session_register($dbuser,$dbpass,$StoredIP,$dbperms);
setcookie("AuthHash",md5($dbuser.$dbpass));
} else {
$state="nomatch response";
ShowLogin();
die();
}
}
}
?>

####################################
agentsearch.php
####################################
<?php include "myauth.php" ?>
This page is for agents only!<br>
<?php
if (empty($HTTP_POST_VARS["available"])) {
showvars();
?>
<form method="post" action="<?php print $PHP_SELF; ?>" name="search">
Available Date: <input type="text" name="available"><br>
<input type="submit" name="subsearch" value="Go">
</form>
<?php
} else {
$wr = new wrdb;
?>

show data!

<?php
$sql="SELECT * from wr WHERE available='".$HTTP_POST_VARS."';";
$wr->Query($sql);
print "<pre> Count: $wr->n();\n";
while($wr->next_record()) {
print "$wr->p(\"Row\") ";
br();
}
print "</pre>";
}
?>

maxholman

Could it be...

session_register('dbuser','dbpass','StoredIP','dbperms');

...instead of...

session_register($dbuser,$dbpass,$StoredIP,$dbperms);

hometoast

thanks :-\ its always something simple.