The script is designed to require the user to input a username and password. If the data does not match “acceptable” data, the user receives an “Invalid …” message. The screen does not allow the user to go back nor will it allow the user to access the site to attempt again without clearing the internet history.
Suggestions?
The following code was authored to require a user to login. If incorrect information is submitted, the user receives the “Invalid…” statement, however, he/she cannot “go back” or access the login page again until the internet history has been cleared. Any suggestions would be greatly appreciated.
[php]<?php // agencylogin-testing.php
require_once '../backup/connect.php';
$connection = new mysqli($db_host, $db_user, $db_pass, $db_db);
if ($connection->connect_error) die($connection->connect_error);
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
$un_temp = mysql_entities_fix_string($connection, $_SERVER['PHP_AUTH_USER']);
$pw_temp = mysql_entities_fix_string($connection, $_SERVER['PHP_AUTH_PW']);
$query = "SELECT * FROM agencies WHERE agencyAcronym = '$un_temp' AND agencyCode = '$pw_temp'";
$result = $connection->query($query);
if(!$result) die($connection->error);
elseif($result->num_rows)
{
$row = $result->fetch_array(MYSQLI_NUM);
$result->close();
$token = $pw_temp;
if ($token == $row[1])
{
session_start();
$_SESSION['agencyAcronym'] = $un_temp;
$_SESSION['agencyCode'] = $pw_temp;
$_SESSION['agency'] = $row[2];
$_SESSION['address'] = $row[3];
$_SESSION['city'] = $row[4];
$_SESSION['state'] = $row[5];
$_SESSION['zip'] = $row[6];
}
else die("Invalid username/password combination");
}
else die("Invalid username/password combination");
}
else
{
header('WWW-Authenticate: Basic realm="Restricted Section"');
header('HTTP/1.0 401 Unauthorized');
die("Please enter your username and password");
}
$connection->close();
function mysql_entities_fix_string($connection, $string)
{
return htmlentities(mysql_fix_string($connection, $string));
}
function mysql_fix_string($connection, $string)
{
if(get_magic_quotes_gpc()) $string = stripslashes($string);
return $connection->real_escape_string($string);
}
?>[/php]
If you can post the script it would be useful in offering a suggestion.
You need to actually tell the browser that the credentials are wrong by responding with a 401 code. If you merely display some error message, the browser thinks the crendentials have been accepted and will keep sending them with every request (until the cache has been cleared).
Pretty Homepages - I have only dabbled with php and the attached script was authored by a previous employee. Would you be willing to offer additional instruction on how to repair/replace properly?
Any assistance would be greatly appreciated.
Well, that is exactly the way the code is set up. If you use this section:
header(‘WWW-Authenticate: Basic realm=“Restricted Section”’);
header(‘HTTP/1.0 401 Unauthorized’);
die(“Please enter your username and password”);
Then the code will force a 401 page into the headers and does not go anywhere else. Most often, when you
get to that point, you might instead want it to go the the login page. For that you could just use a standard
redirect to the log in page. Something loosely like:
header(‘location: yourloginpage.php’);
In that way they are forced to go to the log in page instead of receiving a 401 page. Is that way you wanted?
YES! Thank you very much.
Still has issues. If I replace the 'WWW-Auth… and the 'HTTP/1… headers with the location header above, my return page yields at big 404 NOT FOUND. If I simply replace the 'HTTP/1… header the the location header, I get a “This webpage has a redirect loop” error. Should the location header be placed prior to the WWW and HTTP headers?
Well, I was reading up on how to do this HTTP-Authentication and found this sample code for it:
[php]
Welcome: " . htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "
";
echo "Old: " . htmlspecialchars($_REQUEST['OldAuth']);
echo "\n";
echo "\n";
echo "\n";
echo "\n";
echo "
[/php]
This was on the PHP.net site at: http://php.net/manual/en/features.http-auth.php
In their version, they check for the values and if not in place, they echo out the actual login form. But, in your
code, I did not see the form. Is the form later in the code? You can either echo the form as in the above
sample or use a flag to display the login form or not depending on the values. Did that make sense?
Also, since you are using headers to handle the HTTP control of the authentication, it is really done using the
server-to-browser system. This might be tracked somewhat, but, is not encrypted. So, I am not really sure
if it is better than a server-side login system with encryption. Here is another site that steps thru the code to
explain each part: http://www.hackingwithphp.com/15/4/3/authentication-over-http Might help you
understand each part of it.
Lastly, I did further reading on this form of authentication because I was told it is insecure. It seems that the
username and password is sent in normal text and can be hacked with ease. All of my reading states that you
need to use HTTPS if you want to use this form of authentication system. But, for your code project, we can
get it working for you if you wish to continue with it.
I saw this as well and was uncertain if it would apply. From the http://php.net/manual/en/features.http-auth.php webpage, the method of input derives from a pop-up window (not necessarily a form). Once the user enters the correct information in the pop-up window, the HTML side of the balance of the webpage runs a Javascript pointing to a HTTPS jotfrom.
If the user hits the Cancel button, he/she can simply hit the browser refresh button and the pop-up window appears again. If the user enters no or incorrect information and clicks the Login button, the webpage returns the “Invalid username/password combination” and can move no further. The back or refresh buttons merely returns the “Invalid…” statement. In order to re-invoke the pop-up window, the user must clear the browser history. This is what I am trying to rectify. How do I modify the code to allow the user to re-enter information without having to clear the browser history.
Well, first, I will guess you do not want to use HTTPS. As far as the user having to clear cache is most likely not
so big an issue. Normally if you press your “back” key a twice quickly, it should go back past the page causing an
issue. Is there a reason that you are not using a standard secured login instead of this not-secure system?
The issue is the way you control, monitor and handle user’s. Normally, you keep them in a database and just
use secured encryption to keep the username and password protected from hackers. Are you trying to use the
HTTP versus PHP login system for a certain reason? Just curious…
As far as you comment about “if a user hits cancel or enters no info, etc”, the issue is that you are using headers
inside the browser. Browser’s can be monitored by hackers and since the info is not encrypted, it is not a good
way to handle login’s. Headers are sent as part of every browser’s communication with the server. It was
used a lot in the past to use for login’s, but, not used much nowadays…
Let us know why you want to go this route…
The script as shown was authored by a previous employee. Upon her departure we discovered the issue and began to seek a resolution. The website is setup such that a qualified user will access the page, enter the necessary credentials and be routed to jotforms (ina secure environment) to complete the order process.
Certainly, I would want all of this done in a secure environment. Any information you are willing to provide in this matter would be greatly appreciated.
In addition, yes… the user database is preset in mysqli (as indicated at the top of the script). The intent is of course, to reach out, verify, accept or prompt for appropriate login. Never to lockup.
Well, looking over your code, either you need to make the site a HTTPS version instead of HTTP or just change
the entire login system to a more standard version. Here is a tutorial on how to do that. It might fit what you
want. It does use the hash() function for passwords which is not a standard these days. Most use the newer
functions in PHP5 and up. The old way of storing passwords were to encrypt them and hash them and save in
the database. Now, the better way is to create a random “salt” hash to use in the encryption and store both into
the database. A hacker can not get to it due to needing access to the database to locate the salted-hash that is
needed to break the encryption of the password. We can discuss that after you think about moving to a more
standard login system. Either way, here is the tutorial on how to create a full login from start to finish. There are
a ton of others, some may be better than this one, but, it will get you started…
http://forum.codecall.net/topic/69771-creating-a-simple-yet-secured-loginregistration-with-php5/
hi i got the script working but everything i try to add ends up in the css menu bar. this then makes the css menu bar longer and longer. can you help please.
[php]<?php
session_start();
include_once ‘dbconnect.php’;
if(!isset($_SESSION[‘user’]))
{
header(“Location: index.php”);
}
$res=mysql_query(“SELECT * FROM users WHERE user_id=”.$_SESSION[‘user’]);
$userRow=mysql_fetch_array($res);
?>
<div class="footer">
copyright @2016
What do you mean by menu bar? You showed partial code. I looks like your menu is inside a DIV called
“wrapper”. If so, then, place your data below it. Or, at least under the of the menu. Just place the
data you do not want to show in the menu below the menu code.