SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Evangelist pompopom's Avatar
    Join Date
    Feb 2004
    Location
    Huldenberg (Belgium)
    Posts
    426
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Authentication doesn't work (Fuecks' example))

    Hi everyone,

    Posted this message yesterday in the advanced section of the site. But I haven't got many replies (just 1 of a person with almost same problem )
    So I just try my luck here, since I'm used to getting more response over here...

    I'm trying to get he authentication work from Harry Fuecks book, php anthology vol II

    now here 's the problem, when I look in the code provided in zip I get in file 5.php a line looking like this :
    PHP Code:
    $auth=&new Auth ($db,'4.php','secret'); 
    now in the book however (at page 24) there's this line:
    PHP Code:
    $auth=&new Auth (&$db,'$loginUrl'); 
    ok so the $loginUrl is a variable instead of a fixed value, that's not the problem:
    First of all: where's the 3rd argument in the second code snippet?
    When I use first codeline I always get redirected right away to the login form
    When I use second I get error: "missing argument" (obviously)

    In the meanwhile I know the first codeline mentioned here is the correct one, but my problem remains, why I'm I always redirected? I didn't change anything to the code I downloaded (besides of the login etc... for he DB).

    First I tought the 'secret' argument had something to do with it, but the person that replied this morning explained to me it is just an extra "key" the md5 uses to encrypt password and login.

    1st Did anyone encounter the same problem and how did you solve this?
    2nd Can this code be tested without having the other parts of the Access Control "installed" such as registering etc...

    I have a DB installed with a memberlist and it has 2 columns (login, password) At the moment there's only one name (mine) with a login and password present in the field, tried to put them unencrypted as well as md5 encrypted but it doesn't make a difference...

    any ideas?

    thx,
    koen
    The Path of excess leeds to the tower of wisdom (W. Blake)

  2. #2
    SitePoint Evangelist pompopom's Avatar
    Join Date
    Feb 2004
    Location
    Huldenberg (Belgium)
    Posts
    426
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    got it going now...

    passwords must be md5, logins not...

    greetz
    The Path of excess leeds to the tower of wisdom (W. Blake)

  3. #3
    SitePoint Evangelist
    Join Date
    Aug 2004
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    hashkey for 3rd argument worthless? missing session_start(); and database connection

    I was having the same problem today.

    From the book ch1 Access Control:
    "As promised, using the Auth class is very easy. To secure a page with it, all you need to do is place this at the start:

    //Instantiate the Auth class
    $auth = &new Auth(&$db, $loginUrl);
    "
    /*
    * Side note in the book mentions you must include the Auth.php file that
    * contains the class definition.
    */

    He should also state that you need to keep your session alive with session_start()

    and that you need to instantiate your mysql connection
    $db = & new MySQL(DB_SERVER, DB_USER, DB_PASS, DB_NAME);


    and that the code he applies to any page you want protected is missing the 3rd argument.... hashkey.... you should always keep a something on the server side that's unique and not stored in the session... I suggest not using the third argument.. just change it inside the class from secret to something unique....



    Login_hash stops useless queries to the database .. it encrypts username password and "secret" together to form the hash value.... as long as session variables stay the same you will be logged in....reason you have to keep your session alive


    although you can pass a third parameter i would just delete that option... from the class and make it static in the auth class.. specifically unque to your system and not inside the session variable...



    Thanks,

    Leblanc Meneses
    Last edited by leblanc; Feb 13, 2005 at 00:41.

  4. #4
    SitePoint Evangelist
    Join Date
    Aug 2004
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    security

    after looking a littlebit... yeah i wouldn't put the hashkey in your session variables...

    keep it static and known only to the owner of the site.......

    http://www.php.net/manual/en/ref.session.php

    note: no need to keep it as a 3rd argument anyways...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •