Jump to content

users can't authenticate

bluethundr

By bluethundr
in PHP Coding Help

 Share

Recommended Posts

bluethundr Member

bluethundr

Posted
Posted

I wrote an application in PHP that intends to authenticate users against a MySQL database.

 

If you surf to localhost/login.html you see the login page. I created an authentication database and added a user to it. When I try to sign in as the user I added to the database instead of logging into the application the user is immediatly shunted to the logout page saying that the user cannot login  :shrug::

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
                      "http://www.w3.org/TR/html401/loose.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <title>Login</title>
</head>
<body>
<h1>Application Login Page</h1>
<form method="POST" action="logincheck.php">
<table>
  <tr>
    <td>Enter your username:</td>
    <td><input type="text" size="10" name="loginUsername"></td>
  </tr>
  <tr>
    <td>Enter your password:</td>
    <td><input type="password" size="10" name="loginPassword"></td>
  </tr>
</table>
<p><input type="submit" value="Log in">
</form>
</body>
</html>

 

There is an include file with the user authentication and session authentication functions

 

<?php

function authenticateUser($connection, $username, $password)
{
  // Test the username and password parameters
  if (!isset($username) || !isset($password))
    return false;

  // Create a digest of the password collected from
  // the challenge
  $password_digest = md5(trim($password));

  // Formulate the SQL find the user
  $query = "SELECT password FROM users WHERE user_name = '{$username}'
            AND password = '{$password_digest}'";

  // Execute the query
  if (!$result = @ mysql_query ($query, $connection))
    showerror();

  // exactly one row? then we have found the user
  if (mysql_num_rows($result) != 1)
    return false;
  else
    return true;
}

// Connects to a session and checks that the user has
// authenticated and that the remote IP address matches
// the address used to create the session.
function sessionAuthenticate()
{
  // Check if the user hasn't logged in
  if (!isset($_SESSION["loginUsername"]))
  {
    // The request does not identify a session
    $_SESSION["message"] = "You are not authorized to access the URL 
                            {$_SERVER["REQUEST_URI"]}";

    header("Location: logout.php");
    exit;
  }

  // Check if the request is from a different IP address to previously
  if (!isset($_SESSION["loginIP"]) || 
     ($_SESSION["loginIP"] != $_SERVER["REMOTE_ADDR"]))
  {
    // The request did not originate from the machine
    // that was used to create the session.
    // THIS IS POSSIBLY A SESSION HIJACK ATTEMPT

    $_SESSION["message"] = "You are not authorized to access the URL 
                            {$_SERVER["REQUEST_URI"]} from the address 
                            {$_SERVER["REMOTE_ADDR"]}";

    header("Location: logout.php");
    exit;
  }
}

?>

 

Then if a user CAN authenticate they are supposed to land at the home page of the application:

 


<?php

require "authentication.inc"; 
require_once "HTML/Template/ITX.php";

session_start();

// Connect to an authenticated session or relocate to logout.php
sessionAuthenticate();

$template = new HTML_Template_ITX("./templates");
$template->loadTemplatefile("home.tpl", true, true);

$template->setVariable("USERNAME", $_SESSION["loginUsername"]);
$template->parseCurrentBlock();
$template->show();
?>

 

This file uses a template file to display it's contents:

 


<?php

require "authentication.inc"; 
require_once "HTML/Template/ITX.php";

session_start();

// Connect to an authenticated session or relocate to logout.php
sessionAuthenticate();

$template = new HTML_Template_ITX("./templates");
$template->loadTemplatefile("home.tpl", true, true);

$template->setVariable("USERNAME", $_SESSION["loginUsername"]);
$template->parseCurrentBlock();
$template->show();
?>

 

If the user selects the logout page this is what they see. And as I mentioned users are unable to login so they automatically end up here instead of the home page.

 

<?php
  require_once "HTML/Template/ITX.php";
  session_start();

  $message = "";

  // An authenticated user has logged out -- be polite and thank them for
  // using your application.
  if (isset($_SESSION["loginUsername"]))
    $message .= "Thanks {$_SESSION["loginUsername"]} for
                 using the Application.";

  // Some script, possibly the setup script, may have set up a 
  // logout message
  if (isset($_SESSION["message"]))
  {
    $message .= $_SESSION["message"];
    unset($_SESSION["message"]);
  }

  // Destroy the session.
  session_destroy();

  // Display the page (including the message)
  $template = new HTML_Template_ITX("./templates");
  $template->loadTemplatefile("logout.tpl", true, true);
  $template->setVariable("MESSAGE", $message);
  $template->parseCurrentBlock();
  $template->show();
?>

 

Logout uses a template file also:

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
                      "http://www.w3.org/TR/html401/loose.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <title>Logout</title>
</head>
<body>
  <h1>Application Logout Page</h1>
  {MESSAGE}
  <p>Click <a href="login.html">here</a> to log in.
</body>
</html>

 

the database is _extremely_ simple by design:

 

mysql> use authentication;
Database changed

mysql> SHOW TABLES;
+--------------------------+
| Tables_in_authentication |
+--------------------------+
| users                    |
+--------------------------+
1 row in set (0.00 sec)

> CREATE TABLE users (
-> user_name char(50) NOT NULL,
-> password char(32) NOT NULL,
-> PRIMARY KEY (user_name),
-> ) type=MyISAM;

 

and I added a user to test the app

 

mysql> SELECT * FROM users;
+------------+----------+
| user_name  | password |
+------------+----------+
| bluethundr | secretpass |
+------------+----------+
1 row in set (0.00 sec)

 

but all the user ever sees is this message even tho the correct user name and password are entered:

 

Application Logout Page
Could not connect to the application as 'bluethundr'
Click here to log in.

 

:'( :'( :'( :'( :'( :'( :'(

 

Can anyone slap me upside the head with the clue-by-four on this one?

 

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/189121-users-cant-authenticate/
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.