Looking for help with authentication session cookie issue???

[paddyhaig]

Need real genius to work this one out. Over 30 people have failed so far.

 

Authentication session problem.

 

 

Please can someone help me create a way of securing the pages of my website with a session cookie.

At present you can wander directory's simply by manipulating the URL.

I need a way to secure the pages if you do not have the correct login  credentials.

I want different users to have different levels of access.

It seems that a cookie is already been created in my browser, that information you will see below.

 

Here's a copy of my present authentication form: index.php

 

<html>
<head>
    <meta http-equiv="Content-Language" content="en-us">
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <title>Login</title>
<link href="includes/primary_layout.css" rel="stylesheet" type="text/css" /> 
<!--[if IE]><style type="text/css">body { text-align: center; } #small-blue-box { text-align: left; }</style><![endif]-->
<link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" />
</head>
<body onLoad="document.getElementById('account').focus()">
<div id="text">
<div id="wrapper">
<div id="small-blue-box">
<div id="form0">
<form action="scripts/authenticate/auth.php" method="POST">
<div>
<div align="center"><img src="graphics/general/concierge_banner.gif" width="180" height="28">Account:
<input name="account" type="text" id="account" value="[email protected]" size="20">
</div>
</div>
<div>
<div align="center">Username:
<input name="username" type="text" id="username" size="20">
</div>
</div>
<div>
<label for="password">
<div align="center">Password:
<input name="password" type="password" id="password" size="20">
</div>
</div>
<p align="center">
<input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();>   
<p>
<img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form>
</div>
</div>
<?php include("includes/footer.inc"); ?>
</div>
</body>
</html>

 

Here's a copy of the auth.php script: Which is called by the above.

 

<?php
if (isset($_POST['username']) && isset($_POST['password'])) {
  $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error());
  mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error());
  
  $login = mysql_real_escape_string($_POST['username'], $db);
  $password = mysql_real_escape_string($_POST['password'], $db);
  
  $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'";
  $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error());
  if (0 === mysql_num_rows($result)) {
    header('Location: ../../index.php');
    exit(0);
  }
  
  $row = mysql_fetch_assoc($result);
  $privilage = $row['privilage'];
  
  session_start();
  $_SESSION['username'] = $login;
  $_SESSION['privilage'] = $privilage;

  
  if ('receptionist' === $privilage) {
    header('Location: ../../receptionists/index.php');
    exit(0);
  }

  if ('manager' === $privilage) {
    header('Location: ../../managers/index.php');
    exit(0);
  }

  if ('administrator' === $privilage) {
    header('Location: ../../admin/index.php');
    exit(0);
  }
}
?>

 

This is my present cookie information:

 

 

Name  PHPSESSID

Value  p2r4il0jeadghdoa7h4hb7uku5

Host  www.example.com

Path  /

Secure  No

Expires  At End Of Session

 

 

This is one of many pages I would like to secure:

 

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Concierge Admin Index</title>
<link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="wrapper">
<div id="large-blue-box">
<div id="form1">

<!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include -->

  <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p>
  <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p>
  <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p>
  <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p>
  <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p>
</div>
<div id="form2">
  <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p>
  <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p>
<p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p>
<p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p>
<p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p>
</div>
<div id="form3">
  <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p>
  <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p>
<p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p>
  <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p>
  <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p>
</div>
</div>
<?php include("../includes/footer.inc"); ?>
</div>
</body>
</html>

 

I think I have found the last bit of the puzzle, this may have been an include in my general pages.

 

 

<?php

// if the log-out button is clicked, destroy the cookies 
// and tell the user that they have logged out. 

if ($submit) { 
    setcookie('username', '', time() - 3600); 
    setcookie('auth_level', '', time() - 3600); 
    echo "You've successfully logged out."; 
} else { 
     
    // Make sure that if someone is accessing 
    // the page without access, that they can't 
    // execute the script 
     
if (!$_COOKIE['username']) { 
header("Location: ../../index.php");
exit; } 
     
    // otherwise, display their username and access level 
    // when they first arrive from the auth.php link 
    // and give them the option to log-out 
     
?> 

<u>Your User Name</u>: <b><?php echo $_COOKIE['username'];?></b><br /> 

<form method="POST" action="http://localhost/concierge/">

<!-- <form method="POST" action="<?php echo $GLOBALS ['PHP_SELF'];?>"> 
<input type="submit" value="Logout" name="submit"> 
</form> 

<?php 

// close the script 

} 
?>

 

Here's something I discovered the session_start() (Whatever you call it) that is in the auth.php script in combination with the <form action="scripts/authenticate/auth.php" method="POST"> from the index.php authentication form is what's generating the session cookie that is now residing in my browser. I found this last bit of code above that I believe is designed to kill the session cookie.

 

What I need is something in the head of every page that check's that cookies data and allows the person logging in with specific credentials access to specific documents and folders.

 

 

 

 

 

 

[Tonic-_-]

The best most secure way I can say this is using only the session and not cookies, this is only if you want to take extra measures. If you use only a session then you can store the correct variables such as username (save less query on mysql process), auth level (also save resource) and a session variable to tell your system the user is logged in. i.e. $_SESSION['logged'] = TRUE;

 

Then on the pages you can have simple if statements to check if the user is logged in, if so check which auth. level he has and then the content.

 

Of course you can take those ideas and apply it in far better code but its just examples of what you can do.

 

Sessions expire unlike cookies where you can set when they expire, if you use cookies to let the user stay logged in you will need to store the user password in a cookie with the username and other stuff. Same concept. Recommend having one function handle if the user is logged in with cookies though, save countless space on you pages and optimize your code.

[paddyhaig]

Tonic this is interesting, is it possible you could give me an example? Using the code I have already posted and what I would add to the headers?

[Tonic-_-]

Well the more in dept that I looked at it. To simply check the session you would need to add

 

<?php
session_start();
?>

 

At the top of every page you want to secure to start the session then to check if there is data in that session and then check the users permissions you would add something like this...

 

<?php
if(isset($_SESSION['username']))  //Check if the username is set
{
if($_SESSION['privilage'] == "administrator") //Check if the user is a administrator to access page
{ //Rest of coding here to show the user the admin controls 
} else {
echo "<p>You do not have the right permissions to access this page</p>";
}
} else { //User is not logged in.
echo "<p>You do not appear to be logged in, please log in.</p>";
}

?>

 

That is a way to check if a user is logged in, if so then check if they have permission, by looking over that simple coding you will know what to edit and do with it. It's simple and pretty secure, can't really fake a session.

 

You can how ever get rid of that setcookie information because you aren't really using cookies in this form at all. You are using a session which by default automatically expires after a user closes their browser or hasn't visited the domain in a specific amount of time.

 

But if you want to be more secure I suggest encrypting user passwords because I looked over your auth.php and there is no real encryption, just plain text being compared to what is in the database. I recommend looking at md5() to encrypt user passwords in MD5 hash that way if someone gets ahold of your database they won't steal any passwords as md5 is pretty hard to crack unless they have a salt which you won't be generating.