OS login php script modification

StackOverflow https://stackoverflow.com/questions/15779622

Domanda

I am trying to modify the following OS login script I found so that when a user has a valid session or "remember me cookie" file A.php is included and if they are not logged in file B.php is included.

I cant seem to solve this simple task on my own ... any help would be great. Thank you.

if (!isset($_SESSION['user_id']) && !isset($_SESSION['user_name']) ) 
{
    if(isset($_COOKIE['user_id']) && isset($_COOKIE['user_key'])){
    /* we double check cookie expiry time against stored in database */

    $cookie_user_id  = filter($_COOKIE['user_id']);
    $rs_ctime = mysql_query("select `ckey`,`ctime` from `users` where `id` ='$cookie_user_id'") or die(mysql_error());
    list($ckey,$ctime) = mysql_fetch_row($rs_ctime);
    // coookie expiry
    if( (time() - $ctime) > 60*60*24*COOKIE_TIME_OUT) {

        logout();
        }
/* Security check with untrusted cookies - dont trust value stored in cookie.       
/* We also do authentication check of the `ckey` stored in cookie matches that stored in database during login*/

     if( !empty($ckey) && is_numeric($_COOKIE['user_id']) && isUserID($_COOKIE['user_name']) && $_COOKIE['user_key'] == sha1($ckey)  ) {
          session_regenerate_id(); //against session fixation attacks.

          $_SESSION['user_id'] = $_COOKIE['user_id'];
          $_SESSION['user_name'] = $_COOKIE['user_name'];
        /* query user level from database instead of storing in cookies */  
          list($user_level) = mysql_fetch_row(mysql_query("select user_level from users where id='$_SESSION[user_id]'"));

          $_SESSION['user_level'] = $user_level;
          $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);

          include('file A.php');
       } 
       else {
       logout();
       }

  } else {
    exit();
    }
}
}

function logout()
{
global $db;
session_start();

if(isset($_SESSION['user_id']) || isset($_COOKIE['user_id'])) {
mysql_query("update `users` 
            set `ckey`= '', `ctime`= '' 
            where `id`='$_SESSION[user_id]' OR  `id` = '$_COOKIE[user_id]'") or die(mysql_error());
}           

/************ Delete the sessions****************/
unset($_SESSION['user_id']);
unset($_SESSION['user_name']);
unset($_SESSION['user_level']);
unset($_SESSION['HTTP_USER_AGENT']);
session_unset();
session_destroy(); 

/* Delete the cookies*******************/
setcookie("user_id", '', time()-60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_name", '', time()-60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_key", '', time()-60*60*24*COOKIE_TIME_OUT, "/");

include('file B.php');
}
È stato utile?

Soluzione

You want this to work if a user has a session or if a user has a cookie yes? If so, the script stops working on the first line.

If the user has an active session, the script just stops right there. You would want to move your core code to another function and call it in an else condition.

if session exists
 do this
else if cookie exists
 do that
else
 do it

You also have an extra } on line 39.

Update -

<?
if (isset($_SESSION['user_id']) && isset($_SESSION['user_name']) ) 
{
    include 'file A.php';
}
else if(isset($_COOKIE['user_id']) && isset($_COOKIE['user_key'])){
    /* we double check cookie expiry time against stored in database */

    $cookie_user_id  = filter($_COOKIE['user_id']);
    $rs_ctime = mysql_query("select `ckey`,`ctime` from `users` where `id` ='$cookie_user_id'") or die(mysql_error());
    list($ckey,$ctime) = mysql_fetch_row($rs_ctime);
    // coookie expiry
    if( (time() - $ctime) > 60*60*24*COOKIE_TIME_OUT) {

        logout();
        }
/* Security check with untrusted cookies - dont trust value stored in cookie.       
/* We also do authentication check of the `ckey` stored in cookie matches that stored in database during login*/

     if( !empty($ckey) && is_numeric($_COOKIE['user_id']) && isUserID($_COOKIE['user_name']) && $_COOKIE['user_key'] == sha1($ckey)  ) {
          session_regenerate_id(); //against session fixation attacks.

          $_SESSION['user_id'] = $_COOKIE['user_id'];
          $_SESSION['user_name'] = $_COOKIE['user_name'];
        /* query user level from database instead of storing in cookies */  
          list($user_level) = mysql_fetch_row(mysql_query("select user_level from users where id='$_SESSION[user_id]'"));

          $_SESSION['user_level'] = $user_level;
          $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);

          include 'file A.php';
       } 
       else {
          logout();
       }

  } else {
  logout();
}


function logout()
{
global $db;


if(isset($_SESSION['user_id']) || isset($_COOKIE['user_id'])) {
mysql_query("update `users` 
            set `ckey`= '', `ctime`= '' 
            where `id`='$_SESSION[user_id]' OR  `id` = '$_COOKIE[user_id]'") or die(mysql_error());
}           

/************ Delete the sessions****************/
unset($_SESSION['user_id']);
unset($_SESSION['user_name']);
unset($_SESSION['user_level']);
unset($_SESSION['HTTP_USER_AGENT']);
session_unset();
session_destroy(); 

/* Delete the cookies*******************/
setcookie("user_id", '', time()-60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_name", '', time()-60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_key", '', time()-60*60*24*COOKIE_TIME_OUT, "/");

include 'file B.php';
}

?>

I've changed the exit() to logout(). It may be what you want if the user is not logged in and you still want him to see file B. Otherwise, you can replace it with exit(). Also, note that I've changed the first condition.

What this does is 

if user has an active session
 show file A
else if user has an active cookie
 if all conditions have met show file A 
 else show file B
else
 show file B
Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top