User Authentication PHP

Report · May 28, 2006

Hi, I have used the Dreamweaver User Authentication to create a login page and protected page. The code works fine and authenticates the user and directs them to the protected page but this promptly boots them out as not authenticated. The testing server is creating a session variable MM_username and inserting the correct value from the mysql database. But the process is creating two further sessions which are blank. It seems that the login page works and creates the session but the protected page is unable to verify this. There are no additions to the code just straight Dreamweaver inbuilt coding, I think this may be a PHP.ini issue although sessions are enabled and being created. Can anyone help?

Many thanks.

Report · May 29, 2006

Chris check globals are set to on in the php.ini file.

other than that i am using php mysql with DW8 with the latest patches and having no problems with the login behaviours. Only time i saw something kind of like this was a redirect to a .html not php page.

other than that try removing the behaviour and re entering it, sometimes i have had some issues with the code generation not being 100% good, that or i simply forgot to make sure that the text fields were given the correct name. (now i simply match all my text fields with the same name as the record field names like user_name user_passwrd etc...)

hope this helps a bit...

In Response To tomincz · May 29, 2006

Hi, Thanks for the tips but it still doesn't solve my problem, register globals are off as there is a security issue but changing it to on makes no difference. The code is working because it is creating the session and inserting the variable MM_username and the correct value. It seems as if protected page can't read the session or it is not recognising it as the current session because it creates two further sessions which are blank.

Any ideas?

Many thanks.

Report · May 29, 2006

Chrisnor wrote:
> Hi, I have used the Dreamweaver User Authentication to create a login page and
> protected page. The code works fine and authenticates the user and directs them
> to the protected page but this promptly boots them out as not authenticated.

This is why:

> Protected Page
> <?php
> if (!isset($_SESSION)) {
> session_start();
> }
> exit () <----- This terminates the script

I've not checked the rest of the script, but unless you remove the
exit(), the script will never run.

--
David Powers
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "Foundation PHP 5 for Flash" (friends of ED)
http://foundationphp.com/

Report · May 29, 2006

tomincz wrote:
> Chris check globals are set to on in the php.ini file.

NO!!! NO!!! NO!!!

Turning on register_globals is a serious security risk. It's so serious,
the option to turn them on is being removed from PHP 6. Even if you rely
on them now, your scripts will break in the next major version of PHP.

--
David Powers
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "Foundation PHP 5 for Flash" (friends of ED)
http://foundationphp.com/

In Response To Newsgroup_User · May 29, 2006

Hi,
Don't worry globals are Off on my testing server. Apologies for leaving the exit() in the code I put it there to create an error to try and see what was happening also the echo(MM_username) doesn't belong but again I added this to try and create an error: both were copied to this thread by mistake. It isn't the cause of the problem, I'm a newbie to web design and PHP but it seems to be an issue with retrieving the variable from the session. The login creates a session with the MM_username variable with the correct value inserted. But the protected page starts two further blank sessions, which seems to point to the fact that it doesn't recognise the original session on the testing server and is defaulting to if (!isset($_SESSION)) {
session_start();
}
I'm using Apache/1.3.33 (Darwin) and PHP Version 5.1.4 www.entropy.ch Release 3 (Universal Binary) on an Apple Mac. The Apache user is www(70) and the session data created by Apache has read/write permissions for www, so it seems that the session should function but it doesn't.

This is driving me nuts!! any suggestions would be greatly appreciated.

In Response To Newsgroup_User · May 30, 2006

sorry i automatically was assuming this was a closed test server thus the globals off setting which i have set on mine (not web accesible)

Protected Page
<?php
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";<<<----different from mine but i use a user priv field in my database so for example user type admin would have this instead $MM_authorizedUsers = "admin";
$MM_donotCheckaccess = "true"; <<<this part for some reason is different from the code generated by my dw for php.. mine has $MM_donotCheckaccess = "false";

just two separate parts that differ from mine

i am running mysql and php (firepages phpdev pack) on a windows box

dunno if this helps but works fine on mine with globals on or off

In Response To Newsgroup_User · May 30, 2006

Chrisnor wrote:
> protected page starts two further blank sessions

What do you mean by blank sessions? It sounds as though you have played
around with the code. Start with a completely fresh page, and insert the
server behaviors again. The setup that you have should work fine.

--
David Powers
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "Foundation PHP 5 for Flash" (friends of ED)
http://foundationphp.com/

Report · Jun 03, 2006

I bet you used to be in the diplomatic office didn't you Dave? I have included the code in the original post and with the exception of exit() and echo statements, which I explained previously, the rest is as generated by DW. It hasn't been altered at all, blank sessions means that when you open the session file on the server it contains zilch, nada, nothing. One session contains the MM_username variable with the correct value (again you can use the scroll bar to view this in a previous post). I know the code should work but it doesn't thats why I posted the problem.

Thanks tomincz I will alter the code to follow yours and see what happens, thanks for reading the post, you have been very helpful.

Report · Jun 03, 2006

Chrisnor wrote:
> I bet you used to be in the diplomatic office didn't you Dave?

No. More than 30 years as a radio and TV journalist. So I try to choose
words carefully.

> the rest is as generated by DW. It
> hasn't been altered at all, blank sessions means that when you open the session
> file on the server it contains zilch, nada, nothing.

If the session files contain nothing, that usually means there has been
a call to $_SESSION = array();. Another possibility is that you don't
have cookies enabled in your browser. Unless you set up the server in a
special way, sessions require cookies to work.

--
David Powers
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "Foundation PHP 5 for Flash" (friends of ED)
http://foundationphp.com/

Report · Jun 04, 2006

The browser has cookies enabled, the server is set up with the default settings plus the ssl module. As the session is being created by the login page and the MM_username variabe inserted and then the code directs you to theprotected page as the login is valid. The problem seems to be when the protected page tries to retrieve the session variable. The protected page is creating a new session probably because it can't read from the original session created at login.

Session data is stored in a folder phpsessiondata which is in the root directory of the hard drive /phpsessiondata. The folder has read/write permissions for everyone and the apache user group 'www' is the owner of the session files. Writing the files seems to work ok but not retrieving and reading! Should I configure something in httpd.conf? This is an apple mac system using enthropy php 5, which has the standard php.ini .

Many thanks for your time and trouble

Report · Jun 04, 2006

Chrisnor wrote:
> Session data is stored in a folder phpsessiondata which is in the root
> directory of the hard drive /phpsessiondata. The folder has read/write
> permissions for everyone and the apache user group 'www' is the owner of the
> session files. Writing the files seems to work ok but not retrieving and
> reading! Should I configure something in httpd.conf? This is an apple mac
> system using enthropy php 5, which has the standard php.ini .

The Mac package from entropy.ch doesn't set a value for
session.save_path, so session files are stored by default in /var/tmp.
According to php.ini, the file storage module creates session files
using permissions of 600 by default. I've confirmed this by looking at
the session files on my Mac in Terminal. They have just read and write
permission (-rw-------), are owned by www, and the group is wheel.

Presumably you have your own reasons for wanting to change the default
location for session files, but it sounds as though you are making
things less secure by creating a folder with such an obvious name and
global read/write permissions.

I use a Mac mainly for testing purposes for my books, so don't have the
in-depth knowledge that a regular Mac/PHP user might have. However, I'm
pretty sure that changing httpd.conf would do nothing to solve your
situation. You may be better off reverting to the default location for
session files, and confirming that your pages work as expected. Then try
again with your custom setup. If it still doesn't work, asking questions
in the forum at entropy.ch may get a more knowledgeable response.

--
David Powers
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "Foundation PHP 5 for Flash" (friends of ED)
http://foundationphp.com/