Prob. w/ secure pages & configuration update
Brought to you by:
koivi
Menu
▾
▴
Hello. This is my first installation of PSA, and I am having problems with secure pages and the configuration update utility. I mention both problems in case they are related, but the problem with secure pages is the most important to me.
I am running Apache/1.3.24 , mysql-3.23.38, PHP 4.3 with session support enabled. Other web apps run fine under this installation.
I have a partially functioning installation of PSA. I can create users, profiles and modify the site structure through the admin screen. I cannot access a secured page after logging in. I created the database using the sql dump file.
I have created a secure page called "secureHome.php", which has the include statement at the top for the file "_restrict.php". I have also created a structure entry called "secureHome", with a location entry "/secureHome.php" (without the quotes, the file is located at the site root). I've created a Profile called secureHome, and included the secureHome page in it. Finally, I have created a user named "Grumpy", and have given him rights for both phpSecurityAdmin and secureHome. I've made the required updates to the config.php file.
Problem 1: When I log in to the system as "Grumpy", and I follow a link in the same browser to secureHome.php, I get the error message "You do not have access rights to this content". If I browse to secureHome.php from a new browser without first logging in, I get the abbreviated log-in window, but then after logging in I get the same error message.
Problem 2: The configuration problem is easier to explain. When I log in as "Grumpy", my configuration changes are not saved. The refreshed screen contains the old values, there are no error messages, and the database remains unchanged.
Any help with either of these problems would be appreciated, although, Problem #1 is the most important because it keeps the system from working for me.
Could you post all the session.* settings from the php.ini please? I am thinking that the session is not being pulled over correctly.
Also, in _restrict.php, echo out the $_SERVER['REQUEST_URI'] and the $_SERVER['PHP_SELF'] in order to see what psa is looking up in the database as the structure entry. Add that just before the line:
$PSA_OUTPUT=ob_get_contents();
One of the values that are echo'd should be in the "Structure" entry for the page. Beware of any spaces at the beginning or end of the structure entry as well.
Hi Justin, thanks for trying to help:
Here are the session.* settings (stock out-of-the box as far as I know):
[Session]
; Handler used to store/retrieve data.
session.save_handler = files
; Argument passed to save_handler. In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
; As of PHP 4.0.1, you can define the path as:
; session.save_path = "N;/path"
; where N is an integer. Instead of storing all the session files in
; /path, what this will do is use subdirectories N-levels deep, and
; store the session data in those directories. This is useful if you
; or your OS have problems with lots of files in one directory, and is
; a more efficient layout for servers that handle lots of sessions.
; NOTE 1: PHP will not create this directory structure automatically.
; You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
; use subdirectories for session storage
session.save_path = C:\Apache\modules\php\temp
; Whether to use cookies.
session.use_cookies = 1
; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1
; Name of the session (used as cookie name).
session.name = PHPSESSID
; Initialize session on request startup.
session.auto_start = 0
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0
; The path for which the cookie is valid.
session.cookie_path = /
; The domain for which the cookie is valid.
session.cookie_domain =
; Handler used to serialize data. php is the standard serializer of PHP.
session.serialize_handler = php
; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_dividend,
; e.g. 1/100 means 1%.
session.gc_probability = 1
session.gc_dividend = 100
; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
; WARNING: Your filesystem must store access times. Windows FAT does
; not. So, see session_set_save_handler() and write your own
; session handler with a different mechanism for cleaning up sessions.
session.gc_maxlifetime = 1440
; NOTE: If you are using the subdirectory option for storing session files
; (see session.save_path above), then garbage collection does *not*
; happen automatically. You will need to do your own garbage
; collection through a shell script, cron entry, or some other method.
; For example, the following script would is the equivalent of
; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
; cd /path/to/sessions; find -cmin +24 | xargs rm
; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope, albeit register_globals
; is disabled. PHP 4.3 and later will warn you, if this feature is used.
; You can disable the feature and the warning seperately. At this time,
; the warning is only displayed, if bug_compat_42 is enabled.
session.bug_compat_42 = 1
session.bug_compat_warn = 1
; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =
; How many bytes to read from the file.
session.entropy_length = 0
; Specified here to create the session id.
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache
; Document expires after n minutes.
session.cache_expire = 180
; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0
Also, when I echo the server variables you asked for (in the location you asked for), I get nothing.
I did some further checking along the lines of your suggestion. The failure is occuring in the "rights checking section:
// should now be successfully logged in - check rights, display content
// Below will display error & stop execution if user doesn't have rights.
$PSA_test=FALSE;
if(isset($_SERVER['REQUEST_URI']) && !$PSA_STOP_EXEC) {
$PSA_test=$PSA_SYS->hasRights($_SERVER['PHP_SELF'],$_SERVER['REQUEST_URI']);
echo "_SERVER['REQUEST_URI'] @ location 1 = " . $_SERVER['REQUEST_URI'] . "<BR>";
echo "_SERVER['PHP_SELF'] @ location 1 = " . $_SERVER['PHP_SELF'] . "<BR>";
echo "PSA_test @ location 1 = " . $PSA_test . "<br>";
}
I get the following output:
_SERVER['REQUEST_URI'] @ location 1 = /TheSalvationArmy/Development/secureHome.php
_SERVER['PHP_SELF'] @ location 1 = /TheSalvationArmy/Development/secureHome.php
PSA_test @ location 1 =
You do not have access rights to this content
I can't help but think this is just a stupid error somewhere, but I can't track it down.
Thanks again for the help.
Lenn.
trans-sid not enabled - should be:
session.use_trans_sid = 1
In the "Structure" part, you should have '/TheSalvationArmy/Development/secureHome.php" as the "Location" for the page. Judging by that URI, when you are ready to go live with the site, you'll need to change it back to "/secureHome.php"
Thanks 1E6. I knew it would be something simple, but I had a conceptual block.
I changed the URI on the development machine and that fixed it. You are right, the production environment will be different.
You've saved me a lot of work, thanks!