bluethundr Posted January 20, 2010 Share Posted January 20, 2010 I wrote an application in PHP that intends to authenticate users against a MySQL database. If you surf to localhost/login.html you see the login page. I created an authentication database and added a user to it. When I try to sign in as the user I added to the database instead of logging into the application the user is immediatly shunted to the logout page saying that the user cannot login : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html401/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Login</title> </head> <body> <h1>Application Login Page</h1> <form method="POST" action="logincheck.php"> <table> <tr> <td>Enter your username:</td> <td><input type="text" size="10" name="loginUsername"></td> </tr> <tr> <td>Enter your password:</td> <td><input type="password" size="10" name="loginPassword"></td> </tr> </table> <p><input type="submit" value="Log in"> </form> </body> </html> There is an include file with the user authentication and session authentication functions <?php function authenticateUser($connection, $username, $password) { // Test the username and password parameters if (!isset($username) || !isset($password)) return false; // Create a digest of the password collected from // the challenge $password_digest = md5(trim($password)); // Formulate the SQL find the user $query = "SELECT password FROM users WHERE user_name = '{$username}' AND password = '{$password_digest}'"; // Execute the query if (!$result = @ mysql_query ($query, $connection)) showerror(); // exactly one row? then we have found the user if (mysql_num_rows($result) != 1) return false; else return true; } // Connects to a session and checks that the user has // authenticated and that the remote IP address matches // the address used to create the session. function sessionAuthenticate() { // Check if the user hasn't logged in if (!isset($_SESSION["loginUsername"])) { // The request does not identify a session $_SESSION["message"] = "You are not authorized to access the URL {$_SERVER["REQUEST_URI"]}"; header("Location: logout.php"); exit; } // Check if the request is from a different IP address to previously if (!isset($_SESSION["loginIP"]) || ($_SESSION["loginIP"] != $_SERVER["REMOTE_ADDR"])) { // The request did not originate from the machine // that was used to create the session. // THIS IS POSSIBLY A SESSION HIJACK ATTEMPT $_SESSION["message"] = "You are not authorized to access the URL {$_SERVER["REQUEST_URI"]} from the address {$_SERVER["REMOTE_ADDR"]}"; header("Location: logout.php"); exit; } } ?> Then if a user CAN authenticate they are supposed to land at the home page of the application: <?php require "authentication.inc"; require_once "HTML/Template/ITX.php"; session_start(); // Connect to an authenticated session or relocate to logout.php sessionAuthenticate(); $template = new HTML_Template_ITX("./templates"); $template->loadTemplatefile("home.tpl", true, true); $template->setVariable("USERNAME", $_SESSION["loginUsername"]); $template->parseCurrentBlock(); $template->show(); ?> This file uses a template file to display it's contents: <?php require "authentication.inc"; require_once "HTML/Template/ITX.php"; session_start(); // Connect to an authenticated session or relocate to logout.php sessionAuthenticate(); $template = new HTML_Template_ITX("./templates"); $template->loadTemplatefile("home.tpl", true, true); $template->setVariable("USERNAME", $_SESSION["loginUsername"]); $template->parseCurrentBlock(); $template->show(); ?> If the user selects the logout page this is what they see. And as I mentioned users are unable to login so they automatically end up here instead of the home page. <?php require_once "HTML/Template/ITX.php"; session_start(); $message = ""; // An authenticated user has logged out -- be polite and thank them for // using your application. if (isset($_SESSION["loginUsername"])) $message .= "Thanks {$_SESSION["loginUsername"]} for using the Application."; // Some script, possibly the setup script, may have set up a // logout message if (isset($_SESSION["message"])) { $message .= $_SESSION["message"]; unset($_SESSION["message"]); } // Destroy the session. session_destroy(); // Display the page (including the message) $template = new HTML_Template_ITX("./templates"); $template->loadTemplatefile("logout.tpl", true, true); $template->setVariable("MESSAGE", $message); $template->parseCurrentBlock(); $template->show(); ?> Logout uses a template file also: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html401/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Logout</title> </head> <body> <h1>Application Logout Page</h1> {MESSAGE} <p>Click <a href="login.html">here</a> to log in. </body> </html> the database is _extremely_ simple by design: mysql> use authentication; Database changed mysql> SHOW TABLES; +--------------------------+ | Tables_in_authentication | +--------------------------+ | users | +--------------------------+ 1 row in set (0.00 sec) > CREATE TABLE users ( -> user_name char(50) NOT NULL, -> password char(32) NOT NULL, -> PRIMARY KEY (user_name), -> ) type=MyISAM; and I added a user to test the app mysql> SELECT * FROM users; +------------+----------+ | user_name | password | +------------+----------+ | bluethundr | secretpass | +------------+----------+ 1 row in set (0.00 sec) but all the user ever sees is this message even tho the correct user name and password are entered: Application Logout Page Could not connect to the application as 'bluethundr' Click here to log in. :'( :'( :'( :'( :'( :'( :'( Can anyone slap me upside the head with the clue-by-four on this one? Link to comment https://forums.phpfreaks.com/topic/189121-users-cant-authenticate/ Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.