How can we get passed the login page when using the URL?

[hypermom]

Hi all,

 

I know very little about PHP and coding.  But I've been assigned the task of allowing a certain group of users to be able to hit the page containing their video lessons.  The URL displays like this in the URL/Addy bar:

http://vmcampus.com/lmsCourse.php?idGroup=19

But we are stopped at the login page.  We had a contractor put that into place.  Now I need to figure out how to undo that for ONLY a specific group of ppl launching links from their Intranet.  They can use a link to a lesson to start a video...they just can't get the page containing those links to display without getting the login page.

 

Is there anyway around this?

 

Thanks,

 

Mary

[sloth456]

I'm thinking that in the members table you would have to create a new field, something like "access level" and then set all people who are allowed to see this particular page to '1'

 

Then at the top of your page where you want to limit access to only a certain group of people you would do a select query to check if the user has access by checking "access level" for a '1'.  If so the script continues to display the page, if not it would display an error like "you are not authorised to see this page"

 

If you are not familiar with php it's quite difficult to implement and its also quite difficult to give specific instructions without seeing the code and database structure.

[Psycho]

Then at the top of your page where you want to limit access to only a certain group of people you would do a select query to check if the user has access by checking "access level" for a '1'.

 

And how, exactly, would you determine who the user is if they have not logged in?

 

The options that come to mind are as follows:

 

1. Check the IP address/range of the user (assuming the people on this intranet have a dedicated IP address/range). If it is from that intranet log them into a guest account automatically with rights to that page.

 

2. If the users are storing the link to the page locally (on their PCs) and it is not available on the website, then append another parameter to the URL to detemine they are coming from that location.

[sloth456]

And how, exactly, would you determine who the user is if they have not logged in?

 

I was assuming they would login.

[Psycho]

And how, exactly, would you determine who the user is if they have not logged in?

 

I was assuming they would login.

 

The title of this post is "How can we get passed the login page when using the URL?" Unless I am misreading it, it seems pretty clear from the OP's original post that they are trying to bypass the login process for users within that intranet to take them directly to the page in question.

[keeB]

Provide a uid unique to the url which circumvents the login process

 

http://url/course_videos.php?a=letmein

[gizmola]

Of course the intranet people will have an internal IP range from NAT.  The script can determine this using $_SERVER['REMOTE_ADDR'].  So the membership code simply needs a stub out there that lets people in.  Of course this assumes that there's not other code setting session variables, which there probably is.  So even though the login code could be shortciruited, whatever determines that a person is in "logged in" state, still needs to be setup probably.

 

Since we've got on code to work with here, there's not much more to be said on this thread unless the OP returns.

[hypermom]

Thanks for your responses!  I'm not following everything.

 

I can tell you that I'm pretty sure that the Intranet was already given a special access out and into our site because they can hit a video page, like this one without having to log on:

http://www.vmcampus.com/files/lessonfile_id327.swf

But it seems that EVERYONE can hit that link now so that may not be true?? Can someone here tell me if they get the login page or see the first page for a module that *contains four lessons?*

 

Here's 2 things that I was thinking:

1) somehow send a username/password from the Intranet and insert them into the proper fields and pass a cmd that *clicks* the Sign In button.  That sounds like a long shot tho.

2) Send them to a page that redirects them to the page:

http://vmcampus.com/lmsCourse.php?idGroup=19

that page ?could contain the usename and password? or something that would allow them to get the the Group=19 page.  A redirect??

 

Thanks again for you help!  Very much appreciated!!

[Psycho]

I get the first page of the modul when using that link. So, login has been removed.

 

You definitely do NOT want to go with option 1. Even though you are trying to bypass security, you should never append the password in clear text. There were numerous options provided above that would give you the functionality you want with better security.

[gizmola]

Thanks for your responses!  I'm not following everything.

 

I can tell you that I'm pretty sure that the Intranet was already given a special access out and into our site because they can hit a video page, like this one without having to log on:

http://www.vmcampus.com/files/lessonfile_id327.swf

But it seems that EVERYONE can hit that link now so that may not be true?? Can someone here tell me if they get the login page or see the first page for a module that *contains four lessons?*

 

Here's 2 things that I was thinking:

1) somehow send a username/password from the Intranet and insert them into the proper fields and pass a cmd that *clicks* the Sign In button.  That sounds like a long shot tho.

2) Send them to a page that redirects them to the page:

http://vmcampus.com/lmsCourse.php?idGroup=19

that page ?could contain the usename and password? or something that would allow them to get the the Group=19 page.  A redirect??

 

Thanks again for you help!  Very much appreciated!!

 

So, the answer to your question about access is that currently everyone has access to the .swf.

 

 

I'm afraid we are missing some important information to help you go any further.  First off, in regards to "Intranets", there is nothing special about an intranet.  It's simply an internal network, and just about everyone these days that has a router in their house to share broadband has an "Intranet".  This is facililitated by the use of "non-routable IP addresses" which are ranges of IP's that were specificallly set aside so that companies could have internal networks.  What allows this to work is that the router acts as a proxy for all outbound connections.  So in general, this Network Address Translation (NAT) functionality is permissive going inside out.  Since these ranges are non-routable, workstations inside the NAT range can't be accessed anyways.  You can think of this as -- "I can call you from my company, but you won't know my extension". 

 

Most people are familiar with the non-routable IP ranges:  192.168.x and 10.x.  Workstations or servers you're communicating with never see the internal IP, only the IP of the router that is providing the proxy service. 

 

When you first posted, I assumed that what you meant was that the "server" was inside the internal network.  I'm guessing that is not the case now, so the first thing you need to know is, what is the IP or range of IP's provided by the router, for people on the Intranet who need to access this material without a login.  If you can ascertain that information, then it's possible to utilize the IP range based security previously described.  Since this is the basic rule you are looking to implement (People on the Intranet should be "logged into the site without a username/password) then the best solution is to utilize the IP to bypass the usual login.