Have you thought about using BASIC AUTH in Apache? That way, you don't even
need to build a login page, just authenticate each page. Here's what we use:
Note that some of the functions used in this script are not included, and
need to be commented out or a function written for them. It's rather
self-explanatory.
We also create a .htaccess file with all the username/passwords in a central
location. You'll need to modify tour httpd.conf file to look in that central
location for all the pages.
## Function: check_auth()
## Description: Checks authentication against the mysql user info database
and
## verifies the password. This function is absolutely critical.
## If it's not right, you could be letting people into the website
## unintentionally. Always make sure that login failure occurs
## unless you have a positive ID!!!
## Additionally it determines if the user has read and digitally
accepted
## IEI's liability statement by calling liability_statment_check().
## Arguments: none
## Returns: success-> returns true
## failure-> exits via auth_header()
function check_auth() {
global
$conn_id,$PHP_AUTH_USER,$PHP_AUTH_PW,$PHP_AUTH_REALM,$REQUEST_URI,$sid;
global $WEBUSER_TABLE,$WEBAUTH_TABLE;
global $redirect;
# The only way out of this function is:
# 1) A recursive call to auth_header()
# 2) A TRUE return to the caller
# Is USER and PASS set?
if( !isset($PHP_AUTH_USER) || !isset($PHP_AUTH_PW)) {
if ($redirect=='y'){
log_it(LOG_DEBUG,"caught redirect");
auth_header($PHP_AUTH_REALM);
} else {
log_it(LOG_DEBUG,"redirecting");
Header("Location: /index.php?redirect=y");
exit();
}
}
# Does USER have trailing whitespace? BAD MYSQL!!!!!
if (ereg(' +$',$PHP_AUTH_USER)){
auth_header($PHP_AUTH_REALM);
}
# Is USER known to the system?
$sql = "SELECT * FROM $WEBUSER_TABLE WHERE
web_user_id='$PHP_AUTH_USER' AND web_password='$PHP_AUTH_PW'";
$row = get_row($conn_id,$sql);
if($row && is_array($row)) {
# Yes, so...
# See if they've been disabled
if($row['web_access_level'] == 'D'){
## Start the Auth over again
## auth_header($PHP_AUTH_REALM);
## include('/error_disabled.php');
Header("Location: /error_disabled.php");
exit();
}
# Check logged_in state
$sql = "SELECT logged_in FROM $WEBAUTH_TABLE WHERE
web_user_id='$PHP_AUTH_USER'";
$row = get_row($conn_id,$sql);
if(!$row || !is_array($row)) {
# First time login for USER, let him through
authorize_user($PHP_AUTH_USER);
return(TRUE);
} else {
# RETURN POINT FROM FUNCTION
# USER's logged_in status is something other than 'N' which is
acceptable
# for access
if ($row['logged_in'] != 'Y'){
update_logged_in_status($PHP_AUTH_USER,'Y');
if ($redirect!='y') auth_header($PHP_AUTH_REALM);
} else {
log_it(LOG_INFO,"checkauth() SUCCESS: user=$PHP_AUTH_USER
pass=NO-SOUP-FOR-YOU-TOO");
# update_logged_in_status($PHP_AUTH_USER,'Y');
}
}
liability_statement_check();
return(TRUE);
} else {
# USER NOT KNOWN
auth_header($PHP_AUTH_REALM);
}
}
Gary Every
Sr. UNIX Administrator
Ingram Entertainment
(615) 287-4876
"Pay It Forward"
mailto:[EMAIL PROTECTED]
http://accessingram.com
> -----Original Message-----
> From: NIPP, SCOTT V (SBCSI) [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 19, 2003 10:39 AM
> To: '[EMAIL PROTECTED]'
> Subject: [PHP-DB] Login and link back...
>
>
> I am curious about what you guys may have along the
> lines of best
> practices for forwarding from a URL to a login, and then
> jumping back to the
> original URL automatically. I have several separate
> applications that all
> need to utilize the same login mechanism. I want the user to
> be able to
> enter the URL for the application and if they are not logged
> in it redirects
> them to a login screen. I already have the sessions junk setup and
> understand all of that portion. I am mainly interested in
> how people are
> handling the return to a URL after successful login.
> I have done some research on this, and discovered the
> $HTTP_REFERER
> variable however the PHP site discourages using this. I have
> also thought
> of adding code to each page to export an "origin" variable to
> be passed to
> the login page such that it can be used to return the user.
> I thought of
> this method, but I am not real clear on how to manage this.
> Does anyone
> have any suggestion on implementing this, or another
> alternative that I have
> not touched on yet? Thanks in advance.
>
> Scott Nipp
> Phone: (214) 858-1289
> E-mail: [EMAIL PROTECTED]
> Web: http:\\ldsa.sbcld.sbc.com
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
