authentication

Resources

Chosen Code

Description, change title as needed

<?php
/////////////////////////////////////////////////////////////
//
//    MSD_lib.inc.php
//    (c) Maresa Nirwan mnirwan@microshell.net
//
/////////////////////////////////////////////////////////////
 
function require_login($auth = "7") {
   global $s_domain_name;
   global $HTTP_SESSION_VARS;
 
   // Check if user is login.
   if (!is_login()) {
      header("Location: http://$s_domain_name/login.html");
   } else {                            // User is logged in.  
      if ($val == "employee") {
         $db = mysql_pconnect("localhost","username","password"); 
         mysql_select_db("DB");
         $result = mysql_query("SELECT permission FROM customer_tbl WHERE session_id = '".$HTTP_SESSION_VARS["sv_login"]."'");
         if (mysql_num_rows != 1) {                // Something's wrong
            echo "<center><font color="red" size="+2">Something is wrong. Query returns 0 or more than 1 result.</font></center>";
            exit;
         }
         $row = mysql_fetch_array($result);
         $auth_scheme = $row["permission"];
         $is_ok = $auth & $auth_scheme;
         if ($is_ok == $auth) {
            $is_ok = TRUE;
         } else {
            echo "<center><font color="red" size="+2">Sorry!!! You don't have permission to access this page.</font></center>";
            exit;
         }
      } else {
         $is_ok = TRUE;                                    // There's no permission level on customer user's pages
      }
   }
}
 
function is_login() {                             // Will check if a user is logged in or not
   global $HTTP_SESSION_VARS;                // The function will return login_id if user is logged in
   if (isset($HTTP_SESSION_VARS["sv_login"])) {        // The user is logged in
      $db = mysql_pconnect("localhost","username","password"); 
      mysql_select_db("DB");
      $result = mysql_query("SELECT customer_id FROM customer_tbl WHERE session_id = '".$HTTP_SESSION_VARS["sv_login"]."'";
      if (mysql_num_rows($result) == 1) {
         $row = mysql_fetch_array($result);
         return $row["customer_id"];
      } else {
         return FALSE;
      }
   } else {
      // The user is not logged in
      return FALSE;
   }
}
 
function parse_get_post($var_name) {                    // Will check if one of GET or POST exist. If it is,
   global $HTTP_GET_VARS;                               // the function will return that variable
   global $HTTP_POST_VARS;                         // returns empty if none is defined
 
   if (isset($HTTP_GET_VARS["$var_name"])) {
      return $HTTP_GET_VARS["$var_name"];
   } else if (isset($HTTP_POST_VARS["$var_name"])) {
      return $action = $HTTP_POST_VARS["$var_name"];
   } else {
      return "";
   }
}
 
/********** END MSD_lib.inc.php **********/
?>
 
<?php
/////////////////////////////////////////////////////////////
//
//    MSD_login.php
//    (c) Maresa Nirwan mnirwan@microshell.net
//
//    This file takes 5 arguments
//    1. login        ------------ User input login name
//    2. password        ------------ User input password
//    3. action        ------------ Specifies the action to login or logout people
//    4. location        ------------ Specifies what page to show after login/logout complete
//    5. login_btn        ------------ If not exist, display login page
//
/////////////////////////////////////////////////////////////
 
// Theese 3 vars can be passed either by get or post method.
$action = parse_get_post("action");
$location = parse_get_post("location");
$login_btn = parse_get_post("login_btn");
 
// Check if login button is defined. If not, display login page.
if (strlen($login_btn) == 0) {
   header("Location: http://$s_domain_name/login.html");
   exit;
}
 
// Default action to logout
if (strlen($action) == 0) {
   $action = "logout";
}
 
if (strlen($location) == 0) {
   $location = $s_domain_name . "/";
}
$location = urldecode($location);
 
// ------ Done parsing vars now we can do the stuff
 
if ($action == "login") {
   $db = mysql_pconnect("localhost","username","password"); 
   mysql_select_db("DB");
   $password = md5($HTTP_POST_VARS["password"]);
   $result = mysql_query("SELECT employee_id FROM employee_tbl WHERE login = '".$HTTP_POST_VARS["login"]."' AND password = '$password'");
 
   if (mysql_num_rows($result) != 1) {
   // Bad Login
      header("Location: http://$s_domain_name/login.html");
      exit;
   } else {
      srand((double)microtime()*1000000);
      $login_id = md5(uniqid(rand()));
      $mysql_query("UPDATE employee_tbl SET session_id = '$login_id' WHERE employee_id = '".$db->f("employee_id")."'");
      $HTTP_SESSION_VARS["sv_login"] = "$login_id";
// Done authenticating and loging in user. Now redirect user to another page.
      header("Location: http://$s_domain_name/msd/admin/$location");
   }
} else {
// Logging out user
   $db = mysql_pconnect("localhost","username","password"); 
   mysql_select_db("DB");
   $mysql_query("UPDATE employee_tbl SET session_id = '' WHERE session_id = '".$HTTP_SESSION_VARS["sv_login"]."'");
   $HTTP_SESSION_VARS["sv_login"] = "";
   header("Location: http://$s_domain_name/msd/admin/$location");
}
 
/********** END MSD_login.php **********/
 
?>
 
***************** SAMPLE login.html *****************
-- begin login.html --
<html>
<head>
<title>MSD Login Screen</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF">
<form method="post" action="MSD_login.php">
Login Name: <input type="text" name="login"><br>
Password: <input type="password" name="password"><br>
<input type="hidden" name="action" value="login">
<input type="hidden" name="location" value="main_screen.html">
<input type="submit" name="login_btn" value="Login">
</form>
</body>
</html>
-- end login.html --
 
For database, I assume you have employee_tbl with at least theese fields defined:
login, password, session_id, and permission.
permission fields should contain decimal representation of binary number. e.g.
1    is regular user. on database stored as 1 (2 to the power of 0)
11    is power user. on database stored as 3 (2 to the power of 1 plus 2 to the power of 0)
111    is super user. on database stored as 7. You figure out why 7. :-)
 
On every page that you want user to login and have proper permission to view it, start session 
on every page and register variable sv_login and include MSD_lib.inc.php and call function 
require_login("1") for everyone that can login to be able to see page,
require_login("3") for only power user and super user to be able to see page.
require_login("7") for only super user to be able to see page.

Client Side Code

Client side code is inherently insecure and error prone. It should be used to reduce load on server, and input verified by server. Please include server verification code also in this section.

Description, change title as needed

 

Candidate Code Suggestions

Add your suggestions and links here.