Hi,
its me again. I solved my login-pwd-problem with cookie, first - I thought - it works fine. But I realized, that it is possible to login again, without pasword. The cookie expieres a half hour, this could explain that. I tryed to 'unset/delete' the cookie with exaples I found in php.net and this mailinglist. Cookie ist set after succsessful authentifikation. Before I wanted to delete the old cookie, like this:
authPerson($user->getValue("uid"), $passwd);
setcookie("passwd");
setcookie("passwd",$passwd,time()+ (3600/2));
Cookiewarnigs are aktivated, after succsessful login with 'password=X3me8l', seccond login without password. What happes is, by sending the login-form, first popupwindow gives you the message 'passwd=deleted' - that seems ok. The second following popupwindow has 'password=X3me8l' !?!? Thats why it ist possible to login without password... Any ideas? - please..
Thanks,
Tanja
below the whole login.php:
<?php
include("Classes.inc");
include("LDAP.inc");
session_name("test");
session_start();
include("errors.inc");
if ($flag == "") {
if (session_is_registered($user)) {
session_destroy($user);
}
$authUID = urldecode($AuthUID);
$user = new People($authUID);
session_register( "user" );
}
elseif ($passwd != "") {
//elseif ( ! ereg( "[:blank:]*$", $passwd ) ) {
if (!(isset($user))) {
echo "bei login.php sub=anmelden..";
}
//setcookie("passwd",$passwd,time()- (3600/2));
authPerson($user->getValue("uid"), $passwd);
setcookie("passwd");
setcookie("passwd",$passwd,time()+ (3600/2));
//setcookie("passwd",$passwd);
Header("Location: http://nachtigall.she.de/ldap/changeEntries.php?OLD_REFERER=$OLD_REFERER");
exit;
}
?>
<link rel=stylesheet type="text/css" href="css/own.css">
<head>
<title>Login</title>
<script language="JavaScript" src="js/main.js">
<!--
//-->
</script>
</head>
<body onLoad="//self.login.pwd.focus( )">
<form action="login.php" name="login" method="POST" target="" ONKEYPRESS="//return checkSubmit()" >
Hallo <strong> <? print $user->getValue("cn"); ?></strong>, bitte einloggen...:<br>
<input type="password" name="passwd" size="20" class="input1">
<input type="hidden" name="flag" value="on">
<input type="hidden" name="OLD_REFERER" value="<? print $url; //$HTTP_REFERER; ?>">
<input type="image" name="submit" value="anmelden" src="she/buttons/login.gif" border="0" class="input1">
</form>
<?
//echo "\$passwd -> " . crypt($passwd,"JK");
?>
</body>
<?
function authPerson($authUID,$pwd){
global $LDAP_HOST, $user;
if($pwd === ""){
$AuthUID = urlencode($authUID);
echo " <form action='login.php?AuthUID=$AuthUID' method='POST'>\n";
echo "<br><strong>kein Passwort eingegeben, bitte neu einloggen...</strong><br>\n";
echo " <input type='submit' value='zum Login'>\n";
echo " </form>\n";
exit;
}
$ds = ldap_connect($LDAP_HOST);
if($ds){
$authDN = $user->getValue('dn');
$r = @ldap_bind($ds,$authDN,$pwd);
if ($r === -1) {
echo "Fehler".ldap_error($ds);
$AuthUID = urlencode($authUID);
echo " <form action='login.php?AuthUID=$AuthUID' method='POST'>\n";
echo "<strong>Hallo " . $user->getValue('cn') . ", bitte neu einloggen...</strong><br>\n";
echo " <input type='submit' value='zurück'>\n";
echo " </form>\n";
echo "\Passwort war -> $pwd";
} elseif ($r === TRUE) {
} elseif ($r === FALSE) {
$AuthUID = urlencode($authUID);
echo " <form action='login.php?AuthUID=$AuthUID' method='POST'>\n";
echo "<strong>\"invalid credentials\"</strong> -Passwort falsch eingegeben,
bitte neu einloggen...\n";
echo " <input type='submit' value='zum Login'>\n";
echo " </form>\n";
echo "\Passwort war -> $pwd";
exit;
}
ldap_close($ds);
}else{
echo "Verbindung zu $host nicht möglich!!!<p>\n";
}
}
?>
