paddyhaig Posted May 21, 2010 Share Posted May 21, 2010 Authentication session problem. Please can someone help me create a way of securing the pages of my website with a session cookie. At present you can wander directorys simply by manipulating the URL. I need a way to secure the pages if you do not have the correct credentials. I want different users to have different levels of access. Here's a copy of my present authentication form: index.php <html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Login</title> <link href="includes/primary_layout.css" rel="stylesheet" type="text/css" /> <!--[if IE]><style type="text/css">body { text-align: center; } #small-blue-box { text-align: left; }</style><![endif]--> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body onLoad="document.getElementById('account').focus()"> <div id="text"> <div id="wrapper"> <div id="small-blue-box"> <div id="form0"> <form action="scripts/authenticate/auth.php" method="POST"> <div> <div align="center"><img src="graphics/general/concierge_banner.gif" width="180" height="28">Account: <input name="account" type="text" id="account" value="info@example.com" size="20"> </div> </div> <div> <div align="center">Username: <input name="username" type="text" id="username" size="20"> </div> </div> <div> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> </div> </div> <p align="center"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> <p> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form> </div> </div> <?php include("includes/footer.inc"); ?> </div> </body> </html> Here's a copy of the auth.php script: Which is called by the above. <?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?> This is my present cookie information: Name PHPSESSID Value p2r4il0jeadghdoa7h4hb7uku5 Host www.example.com Path / Secure No Expires At End Of Session This is one of many pages I would like to secure: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted May 21, 2010 Share Posted May 21, 2010 Why do keep starting new threads for this same problem? Why not just continue one of the other threads you've started for this? Quote Link to comment Share on other sites More sharing options...
georgebates Posted May 22, 2010 Share Posted May 22, 2010 try loking up this http://www.w3schools.com/php/php_cookies.asp Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 22, 2010 Author Share Posted May 22, 2010 Pikachu2000, it seems like people simply move on to other problems. I have had about 4 people give suggestions that simply didn't work. Then my php issue is simply just forgotten about. So I have to re-post it, so I can get some fresh blood to take a look at it. Take yourself for example, your offering nothing but criticism. I do apologize if I sound rude, but it's a fact. It seems to me that I have to keep baiting the hook until someone helps me. Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 22, 2010 Author Share Posted May 22, 2010 georgebates, I have just looked at the page you suggested and it all looked like Greek to me, please excuse me if you are actually Greek. I am a newbie, you all started somewhere. I am trying to fix something I made and worked 7 years ago, since then my life was thrown upside down in New Orleans with Katrina, I haven't been near code in 5 years, I cant seem to remember a thing. All I am looking for is a little help. Fortunately I got some great help in the css area. Now I seem to have a handle on css again. My problem now lies with a bunch of php scripts that I cant believe I once wrote. But I did! Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 22, 2010 Author Share Posted May 22, 2010 Actually My georgebates, I have managed to read and understand the page you suggested I read it and none of it seems to apply to me. Here's why: the is no setcookie() used any where in the code on any of the pages, however a cookie is being generated. How's that? Quote Link to comment Share on other sites More sharing options...
mcdsoftware Posted May 22, 2010 Share Posted May 22, 2010 Actually My georgebates, I have managed to read and understand the page you suggested I read it and none of it seems to apply to me. Here's why: the is no setcookie() used any where in the code on any of the pages, however a cookie is being generated. How's that? Depending on your php.ini, session variables could be stored using cookies so they will be created automatically even if you don't call setcookie To check whether or not a user has access to a specific page, add this to the top of the pages that you want to secure: <?php session_start(); if (! isset($_SESSION['privilage'])) { // privilege? // redirect to your login page header("Location: loginpage.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed if ($_SESSION['privilege'] != 'manager') { die('You do not have the privilege to access this page.'); } } ?> HTH Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 22, 2010 Author Share Posted May 22, 2010 Thanks Mr Mc! Here are my discoveries so far... Authentication session problem. Please can someone help me create a way of securing the pages of my website with a session cookie. At present you can wander directorys simply by manipulating the URL. I need a way to secure the pages if you do not have the correct credentials. I want different users to have different levels of access. Here's a copy of my present authentication form: index.php <html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Login</title> <link href="includes/primary_layout.css" rel="stylesheet" type="text/css" /> <!--[if IE]><style type="text/css">body { text-align: center; } #small-blue-box { text-align: left; }</style><![endif]--> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body onLoad="document.getElementById('account').focus()"> <div id="text"> <div id="wrapper"> <div id="small-blue-box"> <div id="form0"> <form action="scripts/authenticate/auth.php" method="POST"> <div> <div align="center"><img src="graphics/general/concierge_banner.gif" width="180" height="28">Account: <input name="account" type="text" id="account" value="info@example.com" size="20"> </div> </div> <div> <div align="center">Username: <input name="username" type="text" id="username" size="20"> </div> </div> <div> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> </div> </div> <p align="center"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> <p> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form> </div> </div> <?php include("includes/footer.inc"); ?> </div> </body> </html> Here's a copy of the auth.php script: Which is called by the above. <?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?> This is my present cookie information: Name PHPSESSID Value p2r4il0jeadghdoa7h4hb7uku5 Host www.example.com Path / Secure No Expires At End Of Session This is one of many pages I would like to secure: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html> I think I have found the last bit of the puzzle, this may have been an include in my general pages. <?php // if the log-out button is clicked, destroy the cookies // and tell the user that they have logged out. if ($submit) { setcookie('username', '', time() - 3600); setcookie('auth_level', '', time() - 3600); echo "You've successfully logged out."; } else { // Make sure that if someone is accessing // the page without access, that they can't // execute the script if (!$_COOKIE['username']) { header("Location: ../../index.php"); exit; } // otherwise, display their username and access level // when they first arrive from the auth.php link // and give them the option to log-out ?> <u>Your User Name</u>: <b><?php echo $_COOKIE['username'];?></b><br /> <form method="POST" action="http://localhost/concierge/"> <!-- <form method="POST" action="<?php echo $GLOBALS ['PHP_SELF'];?>"> <input type="submit" value="Logout" name="submit"> </form> <?php // close the script } ?> Here's something I discovered the session_start() (Whatever you call it) that is in the auth.php script in combination with the <form action="scripts/authenticate/auth.php" method="POST"> from the index.php authentication form is what's generating the session cookie that is now residing in my browser. I found this last bit of code above that I believe is designed to kill the session cookie. What I need is something in the head of every page that check's that cookie data. Quote Link to comment Share on other sites More sharing options...
mcdsoftware Posted May 22, 2010 Share Posted May 22, 2010 Check my last post. I edited it to add some codes Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 22, 2010 Author Share Posted May 22, 2010 Mr McD, I tried your code out and it keeps throwing me back to the authentication form. Oh, I also made changes to the spelling of 'privilege' in both the snippet of code and the backend auth.php script. My bad! Is the some way that I can check to see if the privilege is being passed in the cookie Here's where I added the code, I also tried it below the <head> to no avail. <?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 22, 2010 Author Share Posted May 22, 2010 I tried just about everything with the below code, however I feel we are onto something. The three levels of access are administrator, manager, receptionist. I changed it on this line and tried it to no avail. if ($_SESSION['privilege'] != 'privilege') { if ($_SESSION['administrator'] != 'administrator') { if ($_SESSION['privilege'] != 'administrator') { <?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed if ($_SESSION['privilege'] != 'administrator') { die('You do not have the privilege to access this page.'); } } ?> Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted June 1, 2010 Author Share Posted June 1, 2010 So after a week of looking everywhere to get a little help. I eventually managed to fix it myself. Here's a working cookie/privileged based authentication script. I do however wish to thank everyone for their efforts. Please see attached db schema. Here is the relevant html authentication form info: <form action="scripts/authenticate/auth.php" method="POST"> <input name="account" type="text" id="account" value="info@example.com" size="20"> Username: <input name="username" type="text" id="username" size="20"> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form> Here is the processing script after I fixed it: <?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilege FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 == mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilege = $row['privilege']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilege'] = $privilege; if ('receptionist' === $privilege) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilege) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilege) { header('Location: ../../admin/index.php'); exit(0); } } ?> Here is what needs to be placed in the head of every page (With appropriate changes): <?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed. // That is the != 'privilege') could be: // != 'administrator') or != 'manager') or != 'receptionist') // Just add this to the head of the page you want to limit access to. // For example add this script with != 'privilege') changed to != 'receptionist') // if you want to limit access to the page to just those with receptionist privileges. if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } } ?> [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.