login/logout

[ochi]

hello, I'm trying to do a login/logout system, the problem is that, if I use $_SERVER['PHP_AUTH_USER'] it's impossible unset the parameters, so, I use session, but I have to write my user and password twice, because the session is unset:

 

Login:

   
        session_start();
if (!isset($_SESSION['user'], $_SESSION['pass'])){ 	
	Header("WWW-Authenticate: Basic realm=\"Login\"");
	Header("HTTP/1.1 401 Unauthorized");
	$_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];
	$_SESSION['pass'] = $_SERVER['PHP_AUTH_PW'];	
	echo "Not allowed";		
	exit;		
}

 

Logout

 

        session_start(); 
session_destroy();
header("Location: /index.php");

 

do you know how can I solve it?

 

Thanks! Regards

[Buddski]

Try this.

keep in mind I have only JUST read about PHP_AUTH_USER

session_start();
if (!isset($_SESSION['user']) || !isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Access Denied';
    exit;
} else {
$_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];
$_SESSION['pass'] = $_SERVER['PHP_AUTH_PW'];
}

 

Changed the && to ||

[Buddski]

Scratch that.. It doesnt work but now im intrigued

[Buddski]

After reading through the comments on php I came across this.. It may help you out

http://www.php.net/manual/en/features.http-auth.php#51399

[ochi]

Hi! thank you for your help, I tried a lot of differents things  in the same way that your first post, but it doesn't work, I also tried this example and some more examples in the same address, but I can't, it is impossible!

 

Regards

[Buddski]

I just tried the example I posted and it works (there are a few undefined index errors and stuff but the basics are there.. Try this..

function check4login() {

    $baselink = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];

    // start a session and don't let it stop automatically:
    session_set_cookie_params(0);
    session_start();
    setcookie("PHPSESSID", session_id());

    // check if the current loading of the page is the first loading
    // after a logout:
    if ($_SESSION['logout'] != '') {
        unset($_SESSION['logout']);
        //
        // initialize a relogin on Firefox
        // (request login with username "relogin"):
        //
        // CAUTION: After that, relative hyperlinks like
        //   <a href="{$_SERVER['PHP_SELF']}">Link</a>
        // will maybe translated into an absolute hyperlink like
        //   http://relogin:relogin@...
        // which will lead to an error-message in Firefox.
        //
        // So you always have to use absolute hyperlinks like $baselink.
        //
        if (! preg_match("/MSIE/", $_SERVER['HTTP_USER_AGENT'])) {
            $link = preg_replace("/^http:\/\/(.*)$/",
                        "http://relogin:relogin@$1", $baselink);
            header("Location: $link");
            exit;
    }    }

    // check if a new realm needs to be generated because
    // it's the first loading of the page (or the first loading
    // after a logout):
    //
    // Remark: The realm is generated with some random signs,
    // because Internet Explorer will forget the username if the
    // realm changes. Unfortunately Firefox doesn't do so.
    if (! isset($_SESSION['realm'])) {
        srand();
        $_SESSION['realm'] = "My Realm      ";
        for ($i = 0; $i < 6; $i++) {
            $_SESSION['realm'] .= substr(".,:;-_'+~=", rand(0, 9), 1);
    }    }

    // check if a user has already logged in before:
    if (isset($_SESSION['user'])) {
        unset($_SESSION['login']);
        return true;
    }

    // check if a user just entered a username and password:
    //
    // is_authorized() has to return 'true' if and only if
    // the username and the passwort given are correct.
    if (isset($_SESSION['login'])) {
        if (is_authorized($_SERVER['PHP_AUTH_USER'],
                    $_SERVER['PHP_AUTH_PW'])) {
            $_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];
            unset($_SESSION['login']);
            return true;
    }    }

    // let the browser ask for a username and a password:
    $_SESSION['login'] = true;
    header("WWW-Authenticate: Basic realm=\"{$_SESSION['realm']}\"");
    header("HTTP/1.0 401 Unauthorized");
    echo "You need to log in before you can access this page.";
    phpinfo();        // - for testing only
    exit;
}

function is_authorized($u,$p) {
if ($u == 'buddski' && $p == 'admin') {
	return true;
} else {
	return false;
}
}

function logout() {

    // to do a logout, all session-variables will be deleted,
    // a variable 'logout' is added:
    $_SESSION = array('logout' => true);
    echo "You were successfully logged out.";
    phpinfo();        // - for testing only
    exit;
}

var_dump(check4login());

 

the var_dump will say bool(true) if login was successful when you want to logout just run the logout() function..

Ive set it so the username is buddski and the password is admin

[ochi]

Hello, thank you for your time. It didn't work! I don't know where is my mistake! my index.php continues:

 

<?php 
if (!is_authorized($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
	echo "Not allowed";
	echo "<a href = logout.php > Try again </a>";
       } else {
           //all things
     }

 

When I open it, it always show me the "not allowed" message. I put the logout in another php file, is correct?

 

Thank you! Regards

[Notoriouswow]

Hello, thank you for your time. It didn't work! I don't know where is my mistake! my index.php continues:

 

<?php 
if (!is_authorized($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
	echo "Not allowed";
	echo "<a href = logout.php > Try again </a>";
       } else {
           //all things
     }

 

When I open it, it always show me the "not allowed" message. I put the logout in another php file, is correct?

 

Thank you! Regards

 

I'm not sure if this is your problem, it could be something simple and stupid like this....

<?php 
if (!is_authorized($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
	echo "Not allowed";
	echo "<a href='logout.php' target=''>Try again</a>";
       } else {
           //all things
           //set target='_blank' to open it in a new window
     }

[ochi]

Hello, I tried the target _blank but it didn't work, anyway, the mistake just happen when I saved the window in firefox (I'm sorry, i don't know the english word, in firefox or internet explorer, you can open different web sites in different windows but there is just one firefox open, do you understand what i mean?)

 

So, if the window is closed, it works perfectly, so, it have to be an stupid mistake, but they are the most difficult to find!!!!

 

Thank you! Regards

[crabfinger]

Alright with user logging the most essential thing is to make sure that the user is in fact the user, so you need a function to check information against the database whenever i have to deal with users i make sure that there is a unique id in the database and then check everything against what is returned once i get the user id

 

<?php
function validate_user($user_password=NULL,$user_id=NULL) {
	$user_id = ($user_id === NULL || !is_numeric($user_id) ? (isset($_SESSION['user_id']) ? NULL : $_SESSION['user_id']) : $user_id; // set $user_id to a session variable if not supplied, non-numeric or NULL if it can't find the session variable
	$user_password = $user_password === NULL ? $_SESSION['user_password'] : $user_password;
	if($user_id !== NULL) {
		$query = 'SELECT user_password FROM users WHERE user_id="' . $user_id . '"';
		if(@mysql_query($query)) {
			$array = mysql_fetch_array($query);
			if($array['user_password'] == $user_password) {
				return TRUE;
			}
			else {
				$_SESSION['errors'][] = 'validate_user() (' . time() . '): Password incorrect';
				return FALSE;
			}
		}
		else {
			$_SESSION['errors'][] = 'validate_user() (' . time() . '): ' . mysql_error();
			return FALSE;
		}
	}
	else {
		$_SESSION['errors'][] = 'validate_user() (' . time() . '): Unable to validate user';
		return FALSE;
	}
}
?>

 

If this function returns true then the user is who they say they are. So now we need to use the function to either log the user in or out.

 

<?php
session_start();
$login_success_page = ''; // set this to where you want to send your users after they login.
if(validate_user()) {
	session_unset();
	print 'You have successfully logged out';
}
else {
	if(isset($_POST['submit'])) {
		$user_name = mysql_real_escape_string($_POST['user_name']);
		$query = 'SELECT user_id FROM users WHERE user_name="' . $user_name . '"';
		if(@mysql_query($query)) {
			$array = mysql_fetch_array($query);
			$user_password = hash('sha512',$_POST['user_password']); // set this to whatever encryption you want to use
			if(validate_user($user_password,$array['user_id'])) {
				$_SESSION['user_id'] = $array['user_id'];
				$_SESSION['user_password'] = $user_password;
				header('location:' . $login_success_page);
			}
			else { 
				print 'Incorrect password';
			}
		}
		else {
			$_SESSION['errors'][] = mysql_error();
			print 'User name does not exist';
		}
	}
?>
<form action="" method="post">
	<table align="center" cellpadding="1" cellspacing="0">
		<tr>
			<td>
				User Name:
			</td>
			<td width="100%">
				<input type="text" name="user_name" />
			</td>
		</tr>
		<tr>
			<td>
				Pass Word:
			</td>
			<td width="100%">
				<input type="password" name="user_password" />
			</td>
		</tr>
		<tr>
			<td style="text-align: right">
				<input type="submit" name="submit" value="Log In" />
			</td>
		</tr>
	</table>
</form>
<?
}
?>

[Notoriouswow]

Hello, I tried the target _blank but it didn't work, anyway, the mistake just happen when I saved the window in firefox (I'm sorry, i don't know the english word, in firefox or internet explorer, you can open different web sites in different windows but there is just one firefox open, do you understand what i mean?)

 

So, if the window is closed, it works perfectly, so, it have to be an stupid mistake, but they are the most difficult to find!!!!

 

Thank you! Regards

Yes, i know exactly what you mean. A new tab is what they are called, just another open explorer document in the same window.

 

But is this your whole code? Or just a snippet of it?

 

Here's my login code, you may be able to get it to work. You just need to set some variables.

<?php
//require_once "maincore.php";
//require_once "subheader.php";
//require_once "side_left.php"; 

if (iMEMBER) {
        header("Location:index.php");
} else {
        opentable($locale['060']);
        echo "<div align='center'>
<form name='loginform' method='post' action='".FUSION_SELF."'>
".$locale['061']."<br>
<input type='text' name='user_name' class='textbox' style='width:100px'><br>
".$locale['062']."<br>
<input type='password' name='user_pass' class='textbox' style='width:100px'><br>
<input type='checkbox' name='remember_me' value='y'>".$locale['063']."<br><br>
<input type='submit' name='login' value='Login' class='button'><br>
</form>
<br>
</div>\n";
        closetable();
}
//require_once "side_right.php"; 
//require_once "footer.php"; 
//Leave all of the functions require_once ""; coded out, they are just style sheets for my website.

?>

[ochi]

I found it!!! I put it here because I hope it help somebody else, the problem was:

 

    		if (isset($_SESSION['user'])) {
        		unset($_SESSION['login']);
        		return true;
    		}

 

it returned true and break, so, it didn't continue. I deleted this lines and it works just I want.

 

Thank you everyone!

 

Regards