phplib-users

Re: [Phplib-users] Default Auth? 7.2d

[Layne W. <la...@if...>]

> Now, I show a footer on all pages (including welcome.php) that
> has copyright info with links to a few things such as a Terms of
> Use document. All documents and articles on the site are viewed
> through library.php (which parses the articles into a template).
> Library.php uses my normal auth class and works fine, as long as
> the user is logged in, which is what I want...most of the time.
>
> However, I need to be able to grant access to Terms of Use, etc.
> to users who haven't logged in (such as viewing the document
> from welcome.php).


I don't even bother with default auth in these cases. In library.php I would
do this:

	if("/terms_of_use.php" == $HTTP_SERVER_VARS["SCRIPT_NAME"]) {
		page_open(array("sess" => "My_Session"));
	}
	else {
		page_open(array("sess" => "My_Session", "auth" => "My_Auth"));
	}


Layne Weathers
Ifworld Inc.

Re: [Phplib-users] Default Auth? 7.2d

[Jacob H. <Jac...@fi...>]

Thanks for the responses to the default auth issue. I've got it now.
Perhaps the docs on default auth should be updated... The bit about
$sess using only the first $auth class that is used over the course of
it's life was an important clue for me.

>>> <fr...@on...> 02/13/02 02:41PM >>>
On Wed, Feb 13, 2002 at 11:05:03AM -0700, Jacob Hanson wrote:
> The Default Auth feature seems like it should do the trick, but it's
> not working. I've set library.php to use my default_auth subclass,
but
> I'm still getting the login page when I try to access library.php.

It doesn't work to use different Auth subclasses on different pages of
the same website.  Whatever Auth subclass appears in the first
page_open() that the user visits will be the auth class for all pages
visited in the site while that session persists.

A common approach to allowing unrestricted access to some pages and
not others is to set up the application's Auth subclass to use
"default authentication" -- $auth->nobody == true -- and then force
login on restricted pages by using something like this right after
calling page_open():

    $auth->login_if($auth->auth["uid"] == "nobody");


-- 
Fred Yankowski      fr...@on...           tel: +1.630.879.1312
OntoSys, Inc        PGP keyID: 7B449345        fax: +1.630.879.1370
<A href="http://www.ontosys.com&nbsp;&nbsp;&nbsp;www.ontosys.com    
38W242 Deerpath Rd, Batavia, IL 60510-9461, USA

Re: [Phplib-users] Default Auth? 7.2d

[Jacob H. <Jac...@fi...>]

Ah! After further testing...
 
It seems as thought having "nobody"-accessible links on your included
loginform file can't work. I'm using Fred's method.
 
If I access the other files directly, it works fine, but going through
the links on the loginform, it doesn't. Browsing the "default" page
(home.php, which is protected, so the loginform will display for
unauthenticated users) it turns out that I am correctly authenticated as
"nobody" initially. But since I've got an if_login() hook in there to
only allow authenticated users into home.php, if_login() nukes my
"nobody" auth info, which breaks the public links on the loginform.
 
So it seems the only solution is to use welcome.php as an outside
loginform (which would POST its login info to the protected page) and as
the default page...and use a simple no-nonsense login form for the
included loginform.

Hmmm...
 

>>> <fr...@on...> 02/13/02 02:41PM >>>
On Wed, Feb 13, 2002 at 11:05:03AM -0700, Jacob Hanson wrote:
> The Default Auth feature seems like it should do the trick, but it's
> not working. I've set library.php to use my default_auth subclass,
but
> I'm still getting the login page when I try to access library.php.

It doesn't work to use different Auth subclasses on different pages of
the same website.  Whatever Auth subclass appears in the first
page_open() that the user visits will be the auth class for all pages
visited in the site while that session persists.

A common approach to allowing unrestricted access to some pages and
not others is to set up the application's Auth subclass to use
"default authentication" -- $auth->nobody == true -- and then force
login on restricted pages by using something like this right after
calling page_open():

    $auth->login_if($auth->auth["uid"] == "nobody");


-- 
Fred Yankowski      fr...@on...           tel: +1.630.879.1312
OntoSys, Inc        PGP keyID: 7B449345        fax: +1.630.879.1370
<A href="http://www.ontosys.com&nbsp;&nbsp;&nbsp;www.ontosys.com    
38W242 Deerpath Rd, Batavia, IL 60510-9461, USA

Re: [Phplib-users] Default Auth? 7.2d

[Jacob H. <Jac...@fi...>]

Ok, after more hacking (yes, I'm still at it)...
 
It would seem that the "default authentication" setup is flawed because
login_if destroys authentication. Once it's destroyed, there doesn't
seem to way to get re-authenticated as "nobody". On my system, this
forces the included loginform on every page that uses $auth, including
the ones that are otherwise accessible by "nobody", such as the nice,
external login form/title page I just created.

So basically, if a user who is authenticated as "nobody" attempts to
access a protected page (which contains the following after page_open)
 
$auth->login_if($auth->auth["uid"] == "nobody");

...authentication is destroyed and the user must login in order to do
*anything*.

The external login form I was talking about previously gets me around
part of the problem, but still, if a user somehow manages to browse to a
protected page, they get the simple included loginform and that's all
they'll be able to get until they can get a different session.
 
It seems like the only answer is to not use $auth at all on
non-protected pages, as Layne suggested. Although, I wish I could...
 
Jacob
 
>>> "Jacob Hanson" <Jac...@fi...> 02/14/02 12:41PM >>>

Ah! After further testing...
 
It seems as thought having "nobody"-accessible links on your included
loginform file can't work. I'm using Fred's method.
 
If I access the other files directly, it works fine, but going through
the links on the loginform, it doesn't. Browsing the "default" page
(home.php, which is protected, so the loginform will display for
unauthenticated users) it turns out that I am correctly authenticated as
"nobody" initially. But since I've got an if_login() hook in there to
only allow authenticated users into home.php, if_login() nukes my
"nobody" auth info, which breaks the public links on the loginform.
 
So it seems the only solution is to use welcome.php as an outside
loginform (which would POST its login info to the protected page) and as
the default page...and use a simple no-nonsense login form for the
included loginform.

Hmmm...
 



-- 
Fred Yankowski      fr...@on...           tel: +1.630.879.1312
OntoSys, Inc        PGP keyID: 7B449345        fax: +1.630.879.1370
<A href="http://www.ontosys.com&nbsp;&nbsp;&nbsp;www.ontosys.com    
38W242 Deerpath Rd, Batavia, IL 60510-9461, USA

Re: [Phplib-users] Default Auth? 7.2d

[<fr...@on...>]

On Thu, Feb 14, 2002 at 03:47:05PM -0700, Jacob Hanson wrote:
> It would seem that the "default authentication" setup is flawed because
> login_if destroys authentication. Once it's destroyed, there doesn't
> seem to way to get re-authenticated as "nobody".

If you set it up right, clicking the "Cancel" button on the login form
will get you out of the modal login state and back to some accessible
page.

The login form/page acts much like a modal dialog box -- the visitor
should exit it via one of the form's submit buttons.  As you say,
while in that login state with phplib, all pages using authentication
(i.e., those that specify an "auth" class in the page_open call) will
demand a login.

But why do you want to allow the visitor to access other pages while
in the midst of login?  If there is some "help" page that explains the
login policy, perhaps you can avoid using an auth class at all with
that page.

-- 
Fred Yankowski      fr...@on...           tel: +1.630.879.1312
OntoSys, Inc	    PGP keyID: 7B449345        fax: +1.630.879.1370
www.ontosys.com     38W242 Deerpath Rd, Batavia, IL 60510-9461, USA

[Phplib-users] Re: Default Auth? 7.2d

[Christian R. <ro...@in...>]

Hello Jacob, Fred and All!

> > So basically, if a user who is authenticated as "nobody" attempts to
> > access a protected page (which contains the following after
> > page_open)
> > =20
> > $auth->login_if($auth->auth["uid"] =3D=3D "nobody");
> >=20
> > ...authentication is destroyed and the user must login in order to do
> > *anything*.

I have the same problem here.

> If you set it up right, clicking the "Cancel" button on the login form
> will get you out of the modal login state and back to some accessible
> page. =20

My 7.2d didn't come with a login form with a "Cancel" button!
Unless I missed something?

> The login form/page acts much like a modal dialog box -- the
> visitor should exit it via one of the form's submit buttons.

Why should it?  I think it's perfectly normal for someone to access a
protected page and then hit "Home" link of the menu!  From a user point of
view, having to hit "cancel" on the login form to access the non-protected
pages is not natural.

> As you say, while in that login state with phplib, all pages using
> authentication (i.e., those that specify an "auth" class in the
> page_open call) will demand a login. =20

There must be something we can do to change that!

> But why do you want to allow the visitor to access
> other pages while in the midst of login?  If there is some "help" page
> that explains the login policy, perhaps you can avoid using an auth
> class at all with that page.

Here's why...

The home page will show different things depending if the user is logged
in or not.  For example, when the user is logged in, the menu of every
pages (including the home page which is public) show the "Register" link
when you are not logged in.  When you ARE logged in the "Register" link is
not there but it shows "Logged in as 'user123'."

So, the home page (and all public pages) must be able to determine if the
user is logged in.  One natural way (as per documentation) is to use
Default Auth.  Incomming users will be logged in as "nobody" until they
login!  When the user hit a protected page and decide to go back to the
home page, he should still be logged in as "nobody"!  He should not be
presented with a login form on the home page, ever!

Possible solutions I am thinking to investigate :

1) Hack PHPLIB and fix it!
2) Use $sess on all pages to help track if you are logged in or not!
3) change the '$auth->login_if($auth->auth["uid"] =3D=3D "nobody");'
   by 'if($auth->auth["uid"] =3D=3D "nobody") {
         include"loginform.php";
         page_close(); exit;
       }' on all pages which are protected.  The form will be displayed
   without having PHPLIB screw the "nobody" authentication.

I haven't tried any of those yet.  I will probably try #1 and submit by
changes here.

Good luck!

--=20

Christian Roy <cr...@in...>
Station InfiniWeb inc.
http://www.infiniweb.ca
/* H=E9bergement Web - Programmation Web - Sites Web - Nom de domaine  */
/* Web Hosting - Web Programming - Instant Websites - Domain name    */

Re: [Phplib-users] Re: Default Auth? 7.2d

[Tarique S. <ta...@sa...>]

On Fri, 15 Feb 2002, Christian Roy wrote:

> I have the same problem here.
> 
> > If you set it up right, clicking the "Cancel" button on the login form
> > will get you out of the modal login state and back to some accessible
> > page.  
> 
> My 7.2d didn't come with a login form with a "Cancel" button!
> Unless I missed something?

No the default form is minus the cancel button

<input type="submit" name="cancel_login" value="Cancel Login"> 

Put this in the login form 

 
> > The login form/page acts much like a modal dialog box -- the
> > visitor should exit it via one of the form's submit buttons.
> 
> Why should it?  I think it's perfectly normal for someone to access a
> protected page and then hit "Home" link of the menu!  From a user point of
> view, having to hit "cancel" on the login form to access the non-protected
> pages is not natural.

Back button will work for a page without auth BUT for an authenticated
page you have to hit cancel login

There was a solution to this long back on the older list though

HTH

Tarique

P.S. i this does not make it to the list please post it there :-)
 

-- 
==========================================================
PHP Applications for E-Biz : http://www.sanisoft.com

The Ultimate Ghazal Lexicon: http://www.aaina-e-ghazal.com
==========================================================

Re: [Phplib-users] Re: Default Auth? 7.2d

[<fr...@on...>]

On Fri, Feb 15, 2002 at 09:57:50PM -0500, Christian Roy wrote:
> Why should it?  I think it's perfectly normal for someone to access a
> protected page and then hit "Home" link of the menu!  From a user point of
> view, having to hit "cancel" on the login form to access the non-protected
> pages is not natural.

Once logged in it should work fine to move freely back and forth among
those pages that require login and those that don't, without the
visitor having to log in again (for the life of the session).  I've
created some phplib-based sites that work just that way.  It's only
the login form/page itself that is modal.

> The home page will show different things depending if the user is logged
> in or not.

That's easy to do:

	if (isset($auth) and isset($auth->auth['uname']))
	    // display stuff for logged-in user
	else
	    // display stuff for default user

(I don't think it works to test $auth->auth['uid'], but I forget why.)

> When the user hit a protected page and decide to go back to the
> home page, he should still be logged in as "nobody"!  He should not be
> presented with a login form on the home page, ever!

If the "cancel button" method is not sufficient for you, then you may
have to hack phplib.  As you say, "good luck"!

-- 
Fred Yankowski      fr...@on...           tel: +1.630.879.1312
OntoSys, Inc	    PGP keyID: 7B449345        fax: +1.630.879.1370
www.ontosys.com     38W242 Deerpath Rd, Batavia, IL 60510-9461, USA

[Phplib-users] Re: Default Auth? 7.2d

[Darryl M. <dar...@op...>]

Hello All,

I've just started to follow this thread of discussion about Default
Authentication and was having similar difficulty myself in coming up with an
elegant solution to my dilema which sounds similar to what a few of you are
experiencing.  Basically I wanted a website that had a menu along the top to
access items such as forums, articles, files etc and also a menu down the
lefthand side with a login form in this menu.  Once the user logs in he/she
can access the protected pages but also view the non protected pages with a
personalised welcome message.  I tried to use the Default Auth method as
suggested by Chris however when my login page is posted no authentication
occurs even though the globals $username and $password are present in the
HTTP vars.  It seems like I'll have to send a flag/hidden field from the
login page to say I want to auth the user now and change the page_open() on
each page to include authorisation.  Not sure what other way you could go
about this.  Does anybody else have any suggestions?

While I was writing this I thought it'd be good if there was a permissions
of 'all' so if a user with uid of 'nobody' entered the site and came across
a page  that had permissions of 'all' they could acess it however if they
hit a page of 'user' or 'admin' then they'd be taken to a page that says you
don't have permissions to acess that page and asks you to login.  Anybody
else have any thoughts on this?

Regards
Darryl

Re: [Phplib-users] Re: Default Auth? 7.2d

[S. <bj...@ba...>]

Hi,

* Darryl Morgan wrote:
> login page to say I want to auth the user now and change the page_open() on
> each page to include authorisation.  Not sure what other way you could go
> about this.  Does anybody else have any suggestions?

Consider overwriting auth_preauth() in your own auth class:

function auth_preauth() {
       return $this->auth_validatelogin();
}

and do an

$auth->login_if($again);

after your page_open() call. $again has to be set from your
login form (i.e. hidden field with value="yes").

-- 
PHP-Support * realitätsnahe Performance-Messungen mit Code-Analyse
    Webapplikationsentwicklung * PHP-Schulungen * Consulting
    
             0700-THINKPHP -*- bj...@th...

RE: [Phplib-users] Re: Default Auth? 7.2d

[Darryl M. <dar...@op...>]

Thanks for that example on how to do this.  I'll have a look into that th=
is
afternoon but looks promising.

-----Original Message-----
From: php...@li...
[mailto:php...@li...]On Behalf Of Bj=F6rn
Schotte
Sent: Wednesday, 27 February 2002 1:07 AM
To: php...@li...
Subject: Re: [Phplib-users] Re: Default Auth? 7.2d


Hi,

* Darryl Morgan wrote:
> login page to say I want to auth the user now and change the page_open(=
)
on
> each page to include authorisation.  Not sure what other way you could =
go
> about this.  Does anybody else have any suggestions?

Consider overwriting auth_preauth() in your own auth class:

function auth_preauth() {
       return $this->auth_validatelogin();
}

and do an

$auth->login_if($again);

after your page_open() call. $again has to be set from your
login form (i.e. hidden field with value=3D"yes").

--
PHP-Support * realit=E4tsnahe Performance-Messungen mit Code-Analyse
    Webapplikationsentwicklung * PHP-Schulungen * Consulting

             0700-THINKPHP -*- bj...@th...

_______________________________________________
Phplib-users mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phplib-users