 |
 |
 |
 |
|
|
Date: 11/22/00
- Next message: David Jones: "RE: [phplib] HELP (login_if BUG?)"
- Previous message: Leif Jakob: "Re: [phplib] optional form fields"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have tried to work around a couple of difficulties that were somehow
unpleasing in the login mechanism of phplib, so I post the code I use.
Maybe someone will give it a look and find some flaw...
Both hacks are related to the 'default authentication' scheme, AKA
$auth->nobody=true
(please forgive my particular use of brackets and tabs, but 'de gustibus non
disputandum est')
-- First problem, how to avoid the 'cancel login' button, and let the visitor
decide to hit the 'back' button and revert to being 'nobody' without submitting
the login or registration form:
my auth_validatelogin function looks like this:
<my_auth_validatelogin>
function auth_validatelogin() {
global $username, $password, $mode;
if (isset($mode) && $mode == "reg") {
$this->mode = "reg";
$this->auth["uname"] = $username;
$this->auth["error"] = "Riempite i campi necessari per la registrazione. Grazie.";
return false;
}
if(isset($username))
{
$this->auth["uname"]=$username; ## This provides access for
"loginform.ihtml" }
##########
# added from
# http://marc.theaimsgroup.com/?l=phplib&m=94269299705992&w=2
#########
else if ($this->nobody)
{ ## provides for "default login cancel"
$uid = $this->auth["uname"] = $this->auth["uid"] = "nobody";
return $uid;
}
################
#end of addition
###########
#####rest as original
$uid = false;
$this->db->query(sprintf("select user_id, perms ".
" from %s ".
" where username = '%s' ".
" and password = '%s'",
$this->database_table,
addslashes($username),
addslashes($password)));
while($this->db->next_record()) {
$uid = $this->db->f("user_id");
$this->auth["perm"] = $this->db->f("perms");
}
if ($uid == false)
$this->auth["error"] = "Il login o la password sono errati.Riprova.";
else
SetCookie("auth_username", $username, pow(2, 31)-1, "/");
return $uid;
}
# end original code
}
<end_of_my_auth_validatelogin>
Then, the page that might want to call the loginform looks like:
<page_that_might_need_a_login_in_some_case>
if ($dologin)
{
unset($dologin);
$sess->unregister("dologin");
$auth->login_if("doit");
}
if ($any_variable_that_enforces_a_login)
{
if ($auth->auth["uid"] == "nobody"):
$sess->register("dologin");
header("Location: ". $sess->url("$PHP_SELF?dologin=yes"));
endif;
}
<end_of_page_that_might_need_a_login_in_some_case>
Using this I was able to let the user press the back button if, in front of a
login screen, he decided to resign, witout any cancel button or link
---- Second problem: how to have a tiny login form in every page, so the user can login from there without going to a dedicated login pagein every doc, at the top, i code: ............. if ($let_me_in): if ($auth->auth["uid"]=$auth->auth_validatelogin()): page_close(); header("Location: ". $sess->url("$PHP_SELF")); else: echo "try again"; endif; endif; ............. In the middle, or on a sidebar, there's the ubiquous 'Wanna login?' form: ............ if (!$perm->have_perm("user")): ## or whatever rather than being nobody ?> <form action="<%=$sess->url("$PHP_SELF?let_me_in=yes")%>" method=post> <input name=username size=15 value=""><br> <input name=password type=password size=15 value=""><br> <input type=submit value="login"><br> </form> <? endif; ...........
This was a quick workaround, and surely I am not yet truly aware of any security implication involved and if anyone can exploit this method to gain authentication. So please try it first, and tell me
Thanks
Giancarlo
--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>
- Next message: David Jones: "RE: [phplib] HELP (login_if BUG?)"
- Previous message: Leif Jakob: "Re: [phplib] optional form fields"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]