Differences

This shows you the differences between two versions of the page.

Link to this comparison view

computers:authentication [2015/03/24 05:42] (current)
Line 1: Line 1:
 +====== authentication ======
 +  * [[:xx]]
 +  * [[session_to_store_login_information]]
  
 +
 +
 +====== Resources ======
 +
 +
 +
 +
 +====== Chosen Code ======
 +
 +
 +
 +===== Code 1 =====
 +Description,​ change title as needed
 +
 +<code php>
 +<?php
 +/////////////////////////////////////////////////////////////​
 +//
 +//    MSD_lib.inc.php
 +//    (c) Maresa Nirwan mnirwan@microshell.net
 +//
 +/////////////////////////////////////////////////////////////​
 +
 +function require_login($auth = "​7"​) {
 +   ​global $s_domain_name;​
 +   ​global $HTTP_SESSION_VARS;​
 +
 +   // Check if user is login.
 +   if (!is_login()) {
 +      header("​Location:​ http://​$s_domain_name/​login.html"​);​
 +   } else {                            // User is logged in.  ​
 +      if ($val == "​employee"​) {
 +         $db = mysql_pconnect("​localhost","​username","​password"​); ​
 +         ​mysql_select_db("​DB"​);​
 +         ​$result = mysql_query("​SELECT permission FROM customer_tbl WHERE session_id = '"​.$HTTP_SESSION_VARS["​sv_login"​]."'"​);​
 +         if (mysql_num_rows != 1) {                // Something'​s wrong
 +            echo "<​center><​font color="​red"​ size="​+2">​Something is wrong. Query returns 0 or more than 1 result.</​font></​center>";​
 +            exit;
 +         }
 +         $row = mysql_fetch_array($result);​
 +         ​$auth_scheme = $row["​permission"​];​
 +         ​$is_ok = $auth & $auth_scheme;​
 +         if ($is_ok == $auth) {
 +            $is_ok = TRUE;
 +         } else {
 +            echo "<​center><​font color="​red"​ size="​+2">​Sorry!!! You don't have permission to access this page.</​font></​center>";​
 +            exit;
 +         }
 +      } else {
 +         ​$is_ok = TRUE;                                    // There'​s no permission level on customer user's pages
 +      }
 +   }
 +}
 +
 +function is_login() {                             // Will check if a user is logged in or not
 +   ​global $HTTP_SESSION_VARS; ​               // The function will return login_id if user is logged in
 +   if (isset($HTTP_SESSION_VARS["​sv_login"​])) {        // The user is logged in
 +      $db = mysql_pconnect("​localhost","​username","​password"​); ​
 +      mysql_select_db("​DB"​);​
 +      $result = mysql_query("​SELECT customer_id FROM customer_tbl WHERE session_id = '"​.$HTTP_SESSION_VARS["​sv_login"​]."'";​
 +      if (mysql_num_rows($result) == 1) {
 +         $row = mysql_fetch_array($result);​
 +         ​return $row["​customer_id"​];​
 +      } else {
 +         ​return FALSE;
 +      }
 +   } else {
 +      // The user is not logged in
 +      return FALSE;
 +   }
 +}
 +
 +function parse_get_post($var_name) {                    // Will check if one of GET or POST exist. If it is,
 +   ​global $HTTP_GET_VARS; ​                              // the function will return that variable
 +   ​global $HTTP_POST_VARS; ​                        // returns empty if none is defined
 +
 +   if (isset($HTTP_GET_VARS["​$var_name"​])) {
 +      return $HTTP_GET_VARS["​$var_name"​];​
 +   } else if (isset($HTTP_POST_VARS["​$var_name"​])) {
 +      return $action = $HTTP_POST_VARS["​$var_name"​];​
 +   } else {
 +      return "";​
 +   }
 +}
 +
 +/********** END MSD_lib.inc.php **********/
 +?>
 +
 +<?php
 +/////////////////////////////////////////////////////////////​
 +//
 +//    MSD_login.php
 +//    (c) Maresa Nirwan mnirwan@microshell.net
 +//
 +//    This file takes 5 arguments
 +//    1. login        ------------ User input login name
 +//    2. password ​       ------------ User input password
 +//    3. action ​       ------------ Specifies the action to login or logout people
 +//    4. location ​       ------------ Specifies what page to show after login/​logout complete
 +//    5. login_btn ​       ------------ If not exist, display login page
 +//
 +/////////////////////////////////////////////////////////////​
 +
 +// Theese 3 vars can be passed either by get or post method.
 +$action = parse_get_post("​action"​);​
 +$location = parse_get_post("​location"​);​
 +$login_btn = parse_get_post("​login_btn"​);​
 +
 +// Check if login button is defined. If not, display login page.
 +if (strlen($login_btn) == 0) {
 +   ​header("​Location:​ http://​$s_domain_name/​login.html"​);​
 +   exit;
 +}
 +
 +// Default action to logout
 +if (strlen($action) == 0) {
 +   ​$action = "​logout";​
 +}
 +
 +if (strlen($location) == 0) {
 +   ​$location = $s_domain_name . "/";​
 +}
 +$location = urldecode($location);​
 +
 +// ------ Done parsing vars now we can do the stuff
 +
 +if ($action == "​login"​) {
 +   $db = mysql_pconnect("​localhost","​username","​password"​); ​
 +   ​mysql_select_db("​DB"​);​
 +   ​$password = md5($HTTP_POST_VARS["​password"​]);​
 +   ​$result = mysql_query("​SELECT employee_id FROM employee_tbl WHERE login = '"​.$HTTP_POST_VARS["​login"​]."'​ AND password = '​$password'"​);​
 +
 +   if (mysql_num_rows($result) != 1) {
 +   // Bad Login
 +      header("​Location:​ http://​$s_domain_name/​login.html"​);​
 +      exit;
 +   } else {
 +      srand((double)microtime()*1000000);​
 +      $login_id = md5(uniqid(rand()));​
 +      $mysql_query("​UPDATE employee_tbl SET session_id = '​$login_id'​ WHERE employee_id = '"​.$db->​f("​employee_id"​)."'"​);​
 +      $HTTP_SESSION_VARS["​sv_login"​] = "​$login_id";​
 +// Done authenticating and loging in user. Now redirect user to another page.
 +      header("​Location:​ http://​$s_domain_name/​msd/​admin/​$location"​);​
 +   }
 +} else {
 +// Logging out user
 +   $db = mysql_pconnect("​localhost","​username","​password"​); ​
 +   ​mysql_select_db("​DB"​);​
 +   ​$mysql_query("​UPDATE employee_tbl SET session_id = ''​ WHERE session_id = '"​.$HTTP_SESSION_VARS["​sv_login"​]."'"​);​
 +   ​$HTTP_SESSION_VARS["​sv_login"​] = "";​
 +   ​header("​Location:​ http://​$s_domain_name/​msd/​admin/​$location"​);​
 +}
 +
 +/********** END MSD_login.php **********/
 +
 +?>
 +
 +***************** SAMPLE login.html *****************
 +-- begin login.html --
 +<​html>​
 +<​head>​
 +<​title>​MSD Login Screen</​title>​
 +<meta http-equiv="​Content-Type"​ content="​text/​html;​ charset=iso-8859-1">​
 +</​head>​
 +<body bgcolor="#​FFFFFF">​
 +<form method="​post"​ action="​MSD_login.php">​
 +Login Name: <input type="​text"​ name="​login"><​br>​
 +Password: <input type="​password"​ name="​password"><​br>​
 +<input type="​hidden"​ name="​action"​ value="​login">​
 +<input type="​hidden"​ name="​location"​ value="​main_screen.html">​
 +<input type="​submit"​ name="​login_btn"​ value="​Login">​
 +</​form>​
 +</​body>​
 +</​html>​
 +-- end login.html --
 +
 +For database, I assume you have employee_tbl with at least theese fields defined:
 +login, password, session_id, and permission.
 +permission fields should contain decimal representation of binary number. e.g.
 +1    is regular user. on database stored as 1 (2 to the power of 0)
 +11    is power user. on database stored as 3 (2 to the power of 1 plus 2 to the power of 0)
 +111    is super user. on database stored as 7. You figure out why 7. :-)
 +
 +On every page that you want user to login and have proper permission to view it, start session ​
 +on every page and register variable sv_login and include MSD_lib.inc.php and call function ​
 +require_login("​1"​) for everyone that can login to be able to see page,
 +require_login("​3"​) for only power user and super user to be able to see page.
 +require_login("​7"​) for only super user to be able to see page.
 +
 +</​code>​
 +
 +
 +====== Client Side Code ======
 +Client side code is inherently insecure and error prone. ​ It should be used to reduce load on server, and input verified ​ by server. ​ Please include server verification code also in this section.
 +
 +===== Code Title =====
 +Description,​ change title as needed
 +
 +<code javascript>​
 +
 +</​code>​
 +
 +
 +
 +====== Candidate Code Suggestions ======
 +Add your suggestions and links here.