| Author |
Message |
Donovan
Client
Joined: Oct 07, 2003
Posts: 735
Location: Ohio
|
 Posted:
Tue Apr 08, 2008 10:23 am |
|
I need to authenticate users and allows these students to see their grades and post a Peer Evaluation on their team members.
I have 6 or 7 functions on a single index.php page that handle everything.
function DisplayLogin()
function AuthStudent()
function TLStudentGrades()
function TLAddY1PeerEvals()
function TLInsertY1PeerEvals()
function TLViewY1PeerEvals()
The student needs to login thru DisplayLogin then gets passed to AuthStudent then TLStudentGrades and finally TLAddY1PeerEvals.
AuthStudent binds to an LDAP server with their username and password. Once authenticated I need a way to pass the username throughout all my functions.
I was thinking of something like this.
Code:
$sql = $db->sql_query("SELECT * FROM ".$prefix."_tl_students WHERE LDAP_USER = '$authuser'");
if ($db->sql_numrows($sql) == 1) {
// if a row was returned
// authentication was successful
// create session and set cookie with username
session_start();
$_SESSION['auth'] = 1;
setcookie("authuser", $_POST['username'], time()+1800);
TLStudentGrades($authuser);
|
I believe this sets the name of my cookie for 30 minutes and passes the $authuser to TLStudentGrades.
Could I now call the value of $authuser from any of my functions?
Do I need to worry about passing $authuser from a link? I don't want to include it in the url for security reasons.
Here is where the link is...
Code:
echo "<td width='10%' align='center'><a href='modules.php?name=Your_Account&op=TLAddY1PeerEvals&Course_Number=$Course_Number'><img src='modules/$modname/images/bluecurvedarrow.png' height='16' width='16' border='0' alt='Submit Peer Evals' title='Submit Peer Evals'></a>\n";
echo"</td></tr>\n";
|
I could go to TLAddY1PeerEvals but I still need to find the value of $authuser. |
| |
|
 
 |
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Tue Apr 08, 2008 7:18 pm |
|
I don't think you need to use both sessions and cookies. You could probably just stick $authuser in a session variable and have it persist as long as the user is signed on. I do that in a custom module I created and it's worked fine for years. All your functions should have access to $_SESSION['authuser']. In development mode I would put echoes in just to make sure the values are being set and read correctly in all the places where you set or access them, then remove the echoes when things work. |
| |
|
|
|
|
Donovan
|
| Posted:
Wed Apr 09, 2008 7:59 am |
|
My problem lies in here.
I can create the session fine.
Code:$sql = $db->sql_query("SELECT * FROM ".$prefix."_tl_students WHERE LDAP_USER = '$authuser'");
if ($db->sql_numrows($sql) == 1) {
// if a row was returned
// authentication was successful
// create session
session_start();
$_SESSION['authuser'] = $authuser;
$_SESSION['sid'] = session_id();
// Lets make it more secure by storing the user's IP address.
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
TLStudentGrades($authuser);
} else {
// no result
// authentication failed
|
I can get to TLStudentGrades and it displays the correct account for whoever is logged in.
I can't however get to these other functions with the session intact by using the following links.
Code:
echo "<td width='10%' align='center'><a href='modules.php?name=Your_Account&op=TLViewY1PeerEvals&Course_Number=$Course_Number'><img src='modules/$modname/images/bluecurvedarrow.png' height='16' width='16' border='0' alt='Submit Peer Evals' title='Submit Peer Evals'></a>\n";
echo"</td></tr>\n";
|
When I do get to this page I get "Session data is invalid"
Code:function TLViewY1PeerEvals($authuser) {
global $prefix, $db;
include("header.php");
if (isset($_SESSION['authuser'])) {
$authuser = $_SESSION['authuser'];
} else {
die('Session data is invalid!!!');
}
|
I don't know if I should pass $authuser as an argument.
It worked here by calling the function and passing a value.
TLStudentGrades($authuser);
But how do I do this with a link?
I don't want the session to appear in the url.
You state ...
| Quote: | | All your functions should have access to $_SESSION['authuser'] |
Could you give me an example how to retrieve the value? |
| |
|
|
|
|
fkelly
|
| Posted:
Wed Apr 09, 2008 8:25 am |
|
Try inserting a session_start(); before you try to retrieve the value. Like after you include header.php in that last code segment. I can't guarantee it but I've had to do things like that.
On the other hand, if you've retrieved authuser from the session variable in the calling program and stuffed it into a $authuser variable and then called the function using that then you shouldn't need to retrieve it from the session variable inside the function.
As you know from Googling there are some excellent and detailed articles about improving the security of sessions by sticking IP's in there and by some other means. You might find some code samples there that you can use, I haven't reread them in quite a while. |
| |
|
|
|
|
Donovan
|
| Posted:
Tue Oct 07, 2008 9:45 am |
|
Since this application may be accessed on public computers I need a way to limit sessions to just 15 minutes, or destroy the session when they close the browser.
I found this while browsing..is this a true statement?
| Quote: | How do you limit the life of the session on the client?
You do this by setting the maximum life of the session cookie (if you're using cookies, which you should be, they're the most secure method).
session_set_cookie_params(1800, '/'); |
|
| |
|
|
|
|
Donovan
|
| Posted:
Tue Oct 07, 2008 10:23 am |
|
The reason I'm asking is it seems when I close the browser I can still open a new browser window and access the same information.
I set my session like so.
Code:$sql = $db->sql_query("SELECT * FROM ".$prefix."_tl_students WHERE LDAP_USER = '$authuser'");
if ($db->sql_numrows($sql) == 1) {
// if a row was returned
// authentication was successful
// set session variable
$_SESSION['authuser'] = $authuser;
$_SESSION['sid'] = session_id();
// Lets make it more secure by storing the user's IP address.
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
header("Location: modules.php?name=$module_name&op=nav");
|
At the top of the page I have this.
Code:##################################################
# Start the session #
##################################################
session_start();
if (isset($_SESSION['authuser'])) {
$authuser = $_SESSION['authuser'];
} else {
$authuser = '';
}
|
How am I able to see information from a new browser window? |
| |
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
| Posted:
Wed Oct 08, 2008 12:00 am |
|
Sessions generate Cookies, but even more importantly, they generate a file on the server as well, allowing for double authentication. This allows the system to do 2 things. One it checks the cookie verses the session file, and if they dont match, the cookie and session expire. Creating a far more secured connection. 2, it can use just the server side, if cookies are disabled, allowing for more flexibility.
Sessions will use whatever it can, if cookies are disabled, it will use just the data on the server, which it compares against the other things, like ip, browser information and a few other pieces of data in the Global scope.
I believe whoever wrote that, wasn't referring to your standard make a cookie for authentication, if they were, they need to see how hackers/exploiters use cookie hacks and such.
Sessions are far more secure and remember, unless you call session_start, sessions dont work, not like cookies, were cookies can be called whether anything was started or not. |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
  
 |
|
Donovan
|
| Posted:
Thu Oct 09, 2008 8:12 am |
|
If the user closes the browser and then opens up a new browser would it then create a new $_SESSION['sid'] = session_id(); each time?
I think my problem is at the top of my page I have this.
Code:
if (isset($_SESSION['authuser'])) {
$authuser = $_SESSION['authuser'];
|
and $authuser is still set...hence no login needed.
Maybe if I compare 'sid' to the cookie on the client I could force a login if they are different.
How could I compare the server file to the client cookie? |
| |
|
|
|
|
gregexp
|
| Posted:
Thu Oct 09, 2008 7:21 pm |
|
Have you started sessions with session_start()?
Remember, sessions will NOT retrieve any data without the session_start() function, and no it doesnt start sessions as the function implies.
It initiates the session variables, and if a session already exists, it makes the old session's data usable again. If no session data can be retrieved, then it starts a new one.
But it has to have session_start() to pull the data. |
| |
|
|
|
|
Donovan
|
| Posted:
Thu Oct 09, 2008 7:25 pm |
|
This is at the top of my page.
Code:##################################################
# Start the session #
##################################################
session_start();
if (isset($_SESSION['authuser'])) {
$authuser = $_SESSION['authuser'];
} else {
$authuser = '';
}
|
|
| |
|
|
|
|
gregexp
|
| Posted:
Thu Oct 09, 2008 7:27 pm |
|
Have you tried to print out the session variable?
do: print_r('$_SESSION);
Test your functions as they go. Output will always help in figuring out the nature of what you are trying to do. |
| |
|
|
|
|
gregexp
|
| Posted:
Thu Oct 09, 2008 7:42 pm |
|
If you would Like Donovan, you can hit me up on whatever medium you prefer, I'm sure we can get this sorted out for you. |
| |
|
|
|
|
Donovan
|
| Posted:
Thu Oct 09, 2008 7:48 pm |
|
I'm just worried that these students will use a public computer and close the browser without logging out. Another medical student could use the same computer and without authenticating see someone elses grades. |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sun Oct 12, 2008 9:07 am |
|
|
|
|
|
Donovan
|
| Posted:
Mon Oct 13, 2008 11:40 am |
|
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
