Apologies for the long post.
I use this approach: (simplified) at the top of every page,
before any HTML. Pop it into an include right at the top.
I have not included all the util function e.g. LogQuietAlert()
regards
Jeff
<?php
#===========================================================================
====
# Initialise session array
session_start();
if (!isset($sesh)) {
session_register('sesh');
$sesh = array();
}
# If they are not logged in - send them to the /login page
if ( !$sesh[_loggedin] and !isUtilityPage()) {
$sesh[_target] = TopPage($PHP_SELF); # Remember where they were going
gotoPage("/login");
}
# This is updated by the login function if a login fails
# Print it on your page somewhere to let the user know
# that their login failed
$message = '';
# I leave the action on my FORMs empty, so the user
# will return to the same page when they press SUBMIT
# $act is the name of the submit button/link etc
if ( $act == 'login' ) {
if ( !$UserName || !$Password ) {
$message = "Missing Username or Password [From: $REMOTE_ADDR]";
} elseif ( login( $UserName, $Password ) ) {
srand((double) microtime() * 1000000);
$randval = rand();
setcookie( 'cookUserName', $UserName, time()+(180*86400),'','', 1);
# Note that this is a session cookie, not persistant
setcookie( 'cookSPID', $randval, 0, '','', 1);
$sesh[_cookSPID] = $randval;
$sesh[_sslSESH] = $SSL_SESSION_ID;
gotoPage($sesh[_target]);
} else {
$message = "Invalid Username/Password [From: $REMOTE_ADDR]";
}
}
if (!isUtilityPage()) {
# Check that the user is not attempting to spoof the session
if ( $sesh[_cookSPID] != $cookSPID) {
LogQuietAlert("$PHP_SELF $sesh[_email] at $sesh[_client_id] "
. "has a cookSPID mismatch: Attempt to spoof session?<BR>");
gotoPage("/login");
}
}
#===========================================================================
====
function login( $UserName, $Password ) {
# Checks username/password
global $sesh, $message, $REMOTE_ADDR;
$sesh[_user] = $UserName;
$sesh[_loggedin] = 0;
$sesh[_user_id] = '';
$sesh[_role] = '';
$sesh[_name] = '';
$sesh[_client_id] = '';
if ( !$UserName or !$Password ) {
return 0;
}
$UserName = strtolower( $UserName );
$sth = runSQL('get_user_login',array(
where => "user='$UserName' and
password=PASSWORD('MySalt$Password')"
));
$rows = mysql_num_rows( $sth );
if (!$rows) {
# Invalid UserName/Password - log a quiet alert
LogAlert("Login failure: $UserName from $REMOTE_ADDR tried
'$Password'<BR>");
$message = "Invalid username/password [from $REMOTE_ADDR]";
return 0;
}
$rec = mysql_fetch_array( $sth, MYSQL_ASSOC );
$sesh[_loggedin] = 1;
$sesh[_user_id] = $rec[user_id];
$sesh[_email] = $rec[email];
$sesh[_role] = $rec[role];
$sesh[_name] = $rec[name];
$sesh[_client_id] = $rec[client_id];
return 1;
}
#===========================================================================
====
function gotoPage( $page = "/index" ) {
header("Location: $page");
exit; # Old browsers get no further!
}
#===========================================================================
====
function isUtilityPage() {
global $PHP_SELF;
# returns true if this is a utility page
# ie index, login, unavailable or error
if ( stristr($PHP_SELF, 'login')) return 1;
if ( stristr($PHP_SELF, 'index')) return 1;
if ( stristr($PHP_SELF, 'unavail')) return 1;
if ( stristr($PHP_SELF, 'error')) return 1;
if ( stristr($PHP_SELF, 'disclaimer')) return 1;
return 0;
}
#===========================================================================
====
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
