[Phplib-users] RE: Phplib-users digest, Vol 1 #472 - 1 msg

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I think I've found a solution to my problem - additional testing will bear
out if this will work in the long haul.

The left hand column of my site always display a "login/create account" box
if auth[uid]==nobody.  If you are truly logged in, that area of the screen
instead displays a logout button.  (The logout button, just calls
$sess->unauth() and reverts the user back to 'nobody' privileges).

My login form POSTs to a page called /userHome.php (see snippet below) -
which requires 'user' privileges and is not accessible to 'nobody'.  The
loginif(nobody) was causing users to be prompted for their username and
password twice.  I needed to find a way to tell the auth class that the
login was already in progress.

Listed below is the code that I'm tinkering with now.

--------------------------------------------------------
include("prepend.php");
page_open( array("sess" => "mySession",
                 "auth" => "myAuth",
                 "perm" => "myPerm") );

# Is the user trying to log on?
if( isset($HTTP_POST_VARS['username']) && $HTTP_POST_VARS['username'] &&
    isset($HTTP_POST_VARS['password']) && $HTTP_POST_VARS['password'] &&
    $auth->auth['uid']=="nobody" ) {

  # We tell the auth object that we just got back from calling the
  # the login form and then we freeze the session.
  $auth->auth["uid"] = "form";
  $auth->auth["exp"] = 0x7fffffff;
  $auth->auth["refresh"] = 0x7fffffff;
  $sess->freeze();

  # Call page_open a second time, will cause auth_validatelogin() to fire
  # and authenticate the user.
  page_open( array("sess" => "mySession",
                   "auth" => "myAuth",
                   "perm" => "myPerm") );
}

$perm->check("user");
--------------------------------------------------------

The first call to page_open works just fine - the myAuth class permits
'nobody' and the user is authenticated as such.  I examine the POST to
"intercept" the username/password and then manually try to tell the auth
class that we're in the middle of a login process.  With the uid set to
form, the second call to page_open forces auth_validatelogoin to be fired.

Assuming the user authenticated themselves properly the rest of script works
as expected.  We check for appropriate permissions and render the rest of
the page.

Feedback and comments on my 'hack' are welcome.

Terry

-----Original Message-----
From: php...@li...
[mailto:php...@li...]On Behalf Of
php...@li...
Sent: Thursday, November 06, 2003 11:23 PM
To: php...@li...
Subject: Phplib-users digest, Vol 1 #472 - 1 msg

Send Phplib-users mailing list submissions to
	php...@li...

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/phplib-users
or, via email, send a message with subject or body 'help' to
	php...@li...

You can reach the person managing the list at
	php...@li...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Phplib-users digest..."

Today's Topics:

   1. Switching User Contexts (T. Riedel)

--__--__--

Message: 1
From: "T. Riedel" <Te...@Te...>
To: <php...@li...>
Date: Thu, 6 Nov 2003 10:27:20 -0500
Subject: [Phplib-users] Switching User Contexts

I could use a little guidance from the list tracking a bug in my
application.

My site has a set of publicly viewable pages, and a several pages that
require additional privileges.  All pages reference a subclass of auth
called "myAuth" which enables "nobody" and permits browsing of the publicly
viewable pages.

When they enter their username and password, they are posting to a secured
page called /userHome.php.  /userHome.php sees the existing session and
recognizes that the user is "authenticated" as nobody, but fails the next
step of login_if($auth->auth['uid']=='nobody') which redirects them to a
login page!

The net effect is that the users thinks the first login attempted failed and
the second attempt behaves normally.  Clearly, what I'm trying to accomplish
and what I've written are widely divergent!

So, what's the "proper" way to allow the users to switch between "nobody"
and a real, authenticated user?

- Should I use two subclasses of auth - one that enables nobody and another
that doesn't?
- Should I attempt to detect the logon by looking at HTTP_POST_VARS for the
username and password and then trying to $sess->delete() and $auth->unauth()
to "force" the start method to execute auth_validatelogin().

Thanks in advance for your assistance!

terry

--__--__--

_______________________________________________
Phplib-users mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phplib-users

End of Phplib-users Digest