Jump to content

Archived

This topic is now archived and is closed to further replies.

swatisonee

Shared Internet leading to multiple logins

Recommended Posts

Hi,

I'm in a big mess. We have a lan at work and internet access is shared using winproxy.

I just discovered that if a person has logged in , another person who opens up index.php gets to view the first persons page !

I dont know if this is because of the shared net connection or whether its a flaw in the script.

Also, if one person has logged in, another person having access to the u/n and p/w can log in to the account at the same time. Clearly, my login.php and index.php are flawed .

I inherited this db so i have never worked on these scripts. I also am not familiar with how sessions/cookies work.I would appreciate if someone can help guide me on how to change it.




Thanks.Swati

LOGIN.PHP
========

[code]<H3><p><p align="center">Login to access your webpage:<P>
<FORM METHOD=post ACTION="<? echo $PHP_SELF ?>?action=login">
<p><p><p>
<B><table cellspacing="5" BORDERCOLORLIGHT = "#FFFF00" BORDERCOLORDARK = "#FFFF00"  bgcolor="#003498" align="center" border="8" >
<tr align="left"><td><font color="yellow" size="3" face="Tahoma"> User Name:</td><td>
<INPUT TYPE=text SIZE=30 NAME=loginname></td>
<td><font color="yellow" size="3" face="Tahoma"> Password:</td><td>
<INPUT TYPE=password SIZE=30 NAME=password></td></tr></table>
</center>    <br>
<p align="center"><INPUT TYPE=submit VALUE="Sign In"> </p>

</FORM>

       </tr>
    </table> [/code]


INDEX.PHP
=======

[code]<?include("protect.php"); ?>
<?php

mysql_connect("localhost", $dbname, $dbpasswd )
        or die ("Unable to connect to server.");

mysql_select_db($database)
        or die ("Unable to select database.");

$sql = "SELECT *
        FROM users
        WHERE (username='$logincookie[user]' or username='$loginname') and (md5(password)='$logincookie[pwd]' or password='$password')";

$result = mysql_query($sql)
        or die ("Unable to get results.");


printf("<font face=\"Verdana\" size=\"4\"><font color=\"blue\">Welcome <b>%s %s</b>", mysql_result($result,0,"firstname"), mysql_result($result,0,"lastname") );


if (mysql_result($result,0,"type") == 'Sales')
{
$uid=mysql_result($result,0,"uid");
printf("<p><a href=sales.php?uid=$uid>Click here to proceed to your options</a>");
}

if (mysql_result($result,0,"type") == 'Finance')
{
$uid=mysql_result($result,0,"uid");
printf("<p><a href=finance.php?uid=$uid>Click here to proceed to your options</a>");

}
<p><p><br>
<font face="Verdana" size="2">Make sure you sign out once you have completed your visit to the site.<br><b>
<A HREF="<? echo $PHP_SELF ?>?action=logout">Sign Out</A></b><br><br>



</td>
    </tr>
  </table> [/code]

PROTECT.PHP
=========

[code]<?

// This is the page to show when the user has been logged out
$logout_page = "logout.php";

$dbname = "x";
$dbpasswd = "y";
$database = "z";


// Page with login form
$login_page = "login.php";

// Page to show if the user enters an invalid login name or password
$invalidlogin_page = "invalidlogin.php";

if ($action == "logout")
{
    Setcookie("logincookie[pwd]","",time() - 3600);
    Setcookie("logincookie[user]","",time() - 3600);
    include($logout_page);
    exit;
}
else if ($action == "login")
{
    if (($loginname == "") || ($password == ""))
    {
        include($invalidlogin_page);
        exit;
    }

mysql_connect("localhost", $dbname, $dbpasswd )
        or die ("Unable to connect to server.");

mysql_select_db($database)
        or die ("Unable to select database.");

$sql = "SELECT * FROM users WHERE username='$loginname' ";

$result = mysql_query($sql)
        or die ("Unable to get results.");

$myrow = mysql_fetch_array($result);

    if (strcmp($myrow["password"],$password) == 0)
    {
        Setcookie("logincookie[pwd]",md5($password),time() + 3600);
        Setcookie("logincookie[user]",$loginname,time() + 3600);
    }
    else
    {
        include($invalidlogin_page);
        exit;
    }
}
else
{
    if (($logincookie[pwd] == "") || ($logincookie[user] == ""))
    {
        include($login_page);
        exit;
    }
    
mysql_connect("localhost",$dbname, $dbpasswd  )
        or die ("Unable to connect to server.");

mysql_select_db($database)
        or die ("Unable to select database.");

$sql = "SELECT * FROM users WHERE username='$logincookie[user]' ";

$result = mysql_query($sql)
        or die ("Unable to get results.");

$myrow = mysql_fetch_array($result);

    if (strcmp(md5($myrow["password"]),$logincookie[pwd]) == 0)
    {
        Setcookie("logincookie[pwd]",$logincookie[pwd],time() + 3600);
        Setcookie("logincookie[user]",$logincookie[user],time() + 3600);
    }
    else
    {
        include($invalidlogin_page);
        exit;
    }
}
?>

<?php
function calculatedate($inputdate)
{
$inputdate_parts = explode('-', $inputdate);

if ($inputdate_parts[1]==00 && $inputdate_parts[2]==00 && $inputdate_parts[0]==0000)
return ' ';

// Calculating the UNIX Timestamp for both dates
$x = mktime(0, 0, 0, $inputdate_parts[1], $inputdate_parts[2], $inputdate_parts[0]);

$outputdate = date('d.m.y', $x);

return $outputdate;
}
?> [/code]

Share this post


Link to post
Share on other sites
I had this problem two with a client that was using a proxy server for their employees to access our site.

look into: [a href=\"http://us2.php.net/manual/en/function.session-cache-limiter.php\" target=\"_blank\"]http://us2.php.net/manual/en/function.sess...che-limiter.php[/a]

Share this post


Link to post
Share on other sites
How did you solve it then pleasE?

I read the link but I've never used sessions so I dont know if i need to add those headers in the protect.php file (which is called by every file on the site).

Also, I couldnt figure out which of the headers I would need to use to ensure I can have uploads possible as also use of the back button etc. Most of my users use IE 6 btw. This is my protect.php file where I guess i have to make the additions correct ? Thanks.

[code]<?

// This is the page to show when the user has been logged out
$logout_page = "logout.php";

$dbname = "x";
$dbpasswd = "y";
$database = "z";


// Page with login form
$login_page = "login.php";

// Page to show if the user enters an invalid login name or password
$invalidlogin_page = "invalidlogin.php";

if ($action == "logout")
{
    Setcookie("logincookie[pwd]","",time() - 3600);
    Setcookie("logincookie[user]","",time() - 3600);
    include($logout_page);
    exit;
}
else if ($action == "login")
{
    if (($loginname == "") || ($password == ""))
    {
        include($invalidlogin_page);
        exit;
    }

mysql_connect("localhost", $dbname, $dbpasswd )
        or die ("Unable to connect to server.");

mysql_select_db($database)
        or die ("Unable to select database.");

$sql = "SELECT * FROM users WHERE username='$loginname' ";

$result = mysql_query($sql)
        or die ("Unable to get results.");

$myrow = mysql_fetch_array($result);

    if (strcmp($myrow["password"],$password) == 0)
    {
        Setcookie("logincookie[pwd]",md5($password),time() + 3600);
        Setcookie("logincookie[user]",$loginname,time() + 3600);
    }
    else
    {
        include($invalidlogin_page);
        exit;
    }
}
else
{
    if (($logincookie[pwd] == "") || ($logincookie[user] == ""))
    {
        include($login_page);
        exit;
    }
    
mysql_connect("localhost",$dbname, $dbpasswd  )
        or die ("Unable to connect to server.");

mysql_select_db($database)
        or die ("Unable to select database.");

$sql = "SELECT * FROM users WHERE username='$logincookie[user]' ";

$result = mysql_query($sql)
        or die ("Unable to get results.");

$myrow = mysql_fetch_array($result);

    if (strcmp(md5($myrow["password"]),$logincookie[pwd]) == 0)
    {
        Setcookie("logincookie[pwd]",$logincookie[pwd],time() + 3600);
        Setcookie("logincookie[user]",$logincookie[user],time() + 3600);
    }
    else
    {
        include($invalidlogin_page);
        exit;
    }
}
?>

<?php
function calculatedate($inputdate)
{
$inputdate_parts = explode('-', $inputdate);

if ($inputdate_parts[1]==00 && $inputdate_parts[2]==00 && $inputdate_parts[0]==0000)
return ' ';

// Calculating the UNIX Timestamp for both dates
$x = mktime(0, 0, 0, $inputdate_parts[1], $inputdate_parts[2], $inputdate_parts[0]);

$outputdate = date('d.m.y', $x);

return $outputdate;
}
?> [/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.