Login Code Not Working For Subdirectory

[DeX]

Hi, I have a website with the following structure:

www.mydomain.com - main public site

www.mydomain.com/intranet - internal site locked down with login script

www.mydomain.com/intranet/blog - internal blog should be locked down by same script as intranet

 

So I added a login script to the index.php page of /intranet/ and to every other page I added a check script as outlined below:

<?
require('includes/config/config.inc.php');
require('includes/classes/Database.class.php');
require('intranet/includes/func.php');
session_start(); 
/********************************* ******************
LOGIN CHECK
***************************************************/
if (isset($_SESSION['auth'])){
$db3 = new Database($config['server'], $config['user'], $config['pass'], $config['database']);
$db3->connect();
$sql3 = "SELECT * FROM member WHERE auth='" . $_SESSION['auth'] ."'";
$row3 = $db3->query_first($sql3);
if($_SESSION['auth'] != $row3['auth'] || $row3['access'] != "0"){
header("Location: index.php?error=badlogin");
} 
} else {
header("Location: index.php?error=noauth");
}


$db = new Database($config['server'], $config['user'], $config['pass'], $config['database']);
$db->connect();

$sql ="SELECT * FROM member";
$row = $db->query($sql);
$users = $db->fetch_all_array($sql);
$count = $db->affected_rows;

$db2 = new Database($config['server'], $config['user'], $config['pass'], $config['database']);
$db2->connect();

$sql2 ="SELECT * FROM filesecure";
$row2 = $db2->query($sql2);
$count2 = $db2->affected_rows;	
?>

 

Now this code works perfect for the /intranet/ directory, login/logout works fine. My problem is I added the same script, with "../" in front of the file references, to the /intranet/blog/ directory and it won't accept that I'm logged in. It boots me out to the login page again.

Even if I try to navigate to the /intranet/blog/index.php page, it'll redirect me to the /intranet/index.php page to log in like it should. I log in, then it brings me to the /intranet/home.php page like it should once I'm logged in. Then I click a link to get to /intranet/blog/index.php and it redirects me to the login page again. Why doesn't it realize I'm logged in? Does the session() variable not work for subdirectories?

 

For what it's worth, the /intranet/blog/ directory is built on a Wordpress install and I added the login check script to the top of the index.php page for the template I'm using. Thanks!

[trq]

If $_SESSION['auth'] is set, why are you querying the database again on every page in the first place?

[DeX]

Thanks for the reply.

Don't I have to? I need to see if the variable is set and then if it equals a valid login value for that user. Would you suggest another way?

[trq]

You validate the user once when they login, if they validate, set $_SESSION['auth'] to true.

 

Then all you need do to see if a user is logged in is....

 

session_start();
if (isset($_SESSION['auth'])) {
  // user is logged in
}

[DeX]

Thank you, I'll try that when I get home. Maybe the extra database check is causing it to fail. Should your solution work for subdirectories as well?

[trq]

Should your solution work for subdirectories as well?

 

Yep.

[DeX]

I added this script:

if (isset($_SESSION['auth'])){
echo "1";
} else {
echo "2";
}
?>

and it works perfect. When I'm logged in it will show a 1 and when I'm logged out it'll show a 2.

 

So I added a redirect to bring the user back to the login page if they're not logged in like so:

if (isset($_SESSION['auth'])){

} else {
	header("Location: ../intranet/index.php?error=noauth");
}
?>

...and it doesn't work. Instead of redirecting to the login page, it just loads the blog as if there were no redirect at all. What did I do wrong?

[PFMaBiSmAd]

A) You need an exit; statement after the header() redirect to prevent the remainder of the code on the page from being executed while the browser requests the target URL in the redirect.

 

B) You likely have output occurring before the header that is preventing the header from working. Are you developing and debugging php code on a system with error_reporting set to E_ALL and display_errors set to ON so that all php errors will be reported and displayed?

[DeX]

Thanks, all I had to do was add the exit; code and it worked perfect.

 

Now there's one last problem. I changed the code on all the /intranet/ pages and also the /intranet/blog/ pages to be:

 

<?
require('includes/config/config.inc.php');
require('includes/classes/Database.class.php');
require('intranet/includes/func.php');
session_start(); 
/********************************* ******************
LOGIN CHECK
***************************************************/
if (isset($_SESSION['auth'])){

} else {
	header("Location: ../intranet/index.php?error=noauth");
                exit;
}
?>

 

Only the blog has the ../ part of the relative path, the intranet doesn't have it for obvious reasons.....because it's a relative path.

 

So I go to the /intranet/ site and it asks me to log in, great.

I log in and it allows me to navigate around /intranet/, great.

I click the link to go to the /intranet/blog/ and that works, great.

I click the link to go back to /intranet/ and it asks me to log in again.

 

What have I got done now?

[PFMaBiSmAd]

Your links are probably inconstantly using www. or no www. on the URL's and the session.cookie_domain is not setup to match all variations of your domain -

 

session.cookie_domain string

session.cookie_domain specifies the domain to set in session_cookie. Default is none at all meaning the host name of the server which generated the cookie according to cookies specification. See also session_get_cookie_params() and session_set_cookie_params().

[DeX]

Hmmm.......nope.

I go to www.mydomain.com/intranet/ and log in, works great.

Then I add /blog/ into the address bar and that brings me to the blog as a logged in user, great.

Then I delete the /blog/ from the address bar and it asks me to log in again.

 

This is without using any links, just manually entering the addresses myself.

[ignace]

What code do you have on blog? I assume somewhere in that code you invalidate the auth session

[DeX]

I got it working. With Wordpress there's an index.php page in the root directory and a line of code in there that simply specifies whether or not you're using a template and then references the index.php from the template folder. Instead of putting the session check in this root index page, I had to put it at the top of the template's index page.

Thanks, everyone!