Re: [Phplib-users] Form POST data not making it into auth_preauth()
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Form POST data not making it into auth_preauth()
|
From: Nathaniel P. <np...@te...> - 2004-10-13 20:45:46
|
Robert Van Overmeiren wrote:
>Hello,
>
>I have a secure https site running on Java Tomcat and I want to be able
>to access an application built on PHP and PHPlib. I'm thinking I can
>have a link that submits a form with the username/password as hidden
>inputs. I've added the 'auth_preauth()' function (posted to phpbuilder
>in 2000) to my extension of the 'Auth' class:
>
>function auth_preauth() {
> global $do_preauth, $username, $password;
> $uid = false;
> if (isset($do_preauth)) {
> $this->db->query(sprintf("select user_id, perms ".
> " from %s ".
> " where username = '%s' ".
> " and password = '%s'",
> $this->database_table,
> addslashes($username),
> addslashes($password)));
> while($this->db->next_record()) {
> $uid = $this->db->f("user_id");
> $this->auth["perm"] = $this->db->f("perms");
> $this->auth["uname"] = $username;
> }
> }
> return $uid;
>}
>
>The function is very similar to the 'auth_validatelogin()' function, but
>is called earlier in the whole process - before 'auth_loginform()'. It
>is supposed to allow someone to use their own login form, and to bypass
>the default form.
>
>If I hard code in the username and password, I get authenticatied and go
>straight in.
>If I use a GET request method in the form, I can get in, but then the
>password is in the URL.
>I can't get my form data into the variables via POST Method - which is
>what I want to use.
>The posting to phpbuilder doesn't say you need to do anything to get the
>data into variables.
>
>
Well, looking at your code, my guess would be that register_globals are
off in your setup, and that instead of auth_preauth() getting your form
data from $_POST like it should, it is trying to get it from the global
variable space. PHPlib was originally coded around the assumption that
register_globals was on; it's only relatively recently (around 2003, I
think?) that the register_globals issue was fixed to work whether or not
PHP ran with register_globals off.
I'd suggest replacing this line:
global $do_preauth, $username, $password;
with something that looks like this:
//In addition to supplying a username and password, the form must have an element
//named 'do_preauth' which is set to something that evaluates to TRUE in PHP, in order
//for the preauth function to work.
$do_preauth = $_POST['do_preauth'];
$username = $_POST['username'];
$password = $_POST['password'];
However, I can't be sure that this is the problem... It might be helpful if you post some sample code of the form you're submitting from as well as a stripped down version of the code you are using on your page. If you have customized other parts of PHPlib (aside from setting the database parameters), that might be useful to know as well. Also, are you using PHP3 or PHP4 sessions (i.e. are you using prepend.php or prepend.php3 to include PHPlib)? From your quoted start() code below, it seems like you're using PHPlib's PHP3-compatible sessions.
Finally, one thing that has helped me understand PHPlib's auth system much better is this explanation here:
http://www.drostan.org/Application/webdev/uod/auth_phplib.php
At it's core, the auth_preauth function is nothing special... all it needs to do to do it's job is somehow return a PHPlib userid instead of false.
>I've been dissecting the phplib files and find that 'page_open()' calls
>a 'start()' funtion from the 'Session' class, then a 'start()' function
>from the 'Auth' class (and another from the 'User' class). The Session
>'start()' function makes a series of function calls itself:
>
> function start($sid = "") {
> $this->set_container();
> $this->set_tokenname();
> $this->put_headers();
> $this->release_token($sid);
> $this->get_id($sid);
> $this->thaw();
> $this->gc();
> }
>
>I can echo back form data ($_POST['username']) up to point of the
>'release_token()' function. After that the data is gone and I can't get
>it back.
>
>
release_token() includes code that will cause a redirect (specifically,
it sends a 302: Moved Temporarily header and redirects to itself,
appending a session id to the URL) if $sess->mode is set to 'get' or
$sess->fallback_mode is set to 'get' and it doesn't detect that a
session cookie is set. Since the script tries to detect the cookie
before it gets set (that occurs in get_id()) when you first enter a page
without an existing session cookie set on your browser, it will /always/
redirect, even if your browser supports cookies. This is probably what
is causing you to loose your $_POST data.
You can work around this by setting $sess->mode to 'cookie'
$sess->fallback_mode to null or false, as this will keep the code from
triggering a redirect. Unless you have a very good reason for supporting
browsers where the user has turned cookies off (or even more rarely, one
that doesn't support cookies), this should be an adequate solution.
There may be a better solution that will support 'get' mode, but I can't
think of one off the top of my head. You'd have to store your post data
in the session somewhere after the call to get_id() in release_token()
or something, and then have some corresponding mechanism for digging it
back out again. If you can switch to using PHP4-style sessions for
PHPlib, you might be able to do that more easily, as you could then
store the $_POST data in a PHP4 session natively, bypassing most of
PHPlib's session handling.
>What do I have to do to get the form data into the 'auth_preauth()'
>function?
>
>Of course, if you can suggest other ways to pass credentials between
>Tomcat container managed security and phplib, I'd be interested.
>
>
The main problem is that it depends on credentials set at the client
end. So, basically, unless your Tomcat app can set a cookie that can
later be read by PHP and both your Tomcat app and PHP app are accessed
through the same domain name and protocol (i.e. both are accessed
through HTTPS), you're out of luck. PHP would also need to have access
to the same data store that you use to keep track of the session in Tomcat.
Hope that helps.
--
___________________________
Nathaniel Price
http://www.tesserportal.net
Webmaster
|
