Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Admin Authentication


jsx

Recommended Posts

This mod will enable a simple user authentication for admin access.

 

Step 1:

cd admin

mkdir permission

vi permission/securityFunctions.inc.php

-- Put this into that file:

-- Note the Username: root and Password: password is set here

-- Note that the timeout period for inactivity is set here - currently to 30 minutes.

<?
 function checkPermissions($_nextPage=null)
 {
   global $_SESSION;
   $D=0;
   $TIMEOUT=30*60; # 30 seconds * 60 = 30 minutes
                                                                                                                                  
   if ($_SESSION['user']=="root" && $_SESSION['pass']=="password")
   {
       if ($_SESSION['time'] < (time() - $TIMEOUT)) {
           if($D)print "checkPermissions:ENDofTIME<BR>\n";
           endSession();
           header("Location: login.php");
       } else {
           if($D)print "checkPermissions:OKAY<BR>\n";
           // let user in!
           $_SESSION['time'] = time(); # current time in seconds;
           if($_nextPage){header("Location: $_nextPage");}
       }
   }
   else
   {
       if($D)print "checkPermissions:BAD_AUTH<BR>\n";
       if(!$_nextPage)
         header("Location: login.php");
   }
 }
                                                                                                                                  
 function endSession()
 {
   global $_SESSION;
   $_SESSION['user']=null;
   session_destroy();
 }
 function startSession()
 {
   global $SESSION_STARTED;
   if(isset($SESSION_STARTED) && $SESSION_STARTED)
   {
     return;
   }
   else
   {
     session_start();
     $SESSION_STARTED=1;
   }
 }
 startSession();
                                                                                                                                  
?>

 

step 2: create login.php file

vi login.php [still in the admin directory]

-- put this into the login.php file --

<?
                                                                                                                                  
$PHP_SELF=$_SERVER["PHP_SELF"];
@include("permission/securityFunctions.inc.php");
                                                                                                                                  
if($_POST["user"]){$_SESSION['user']=$_POST["user"];$_SESSION['time']=time();}
if($_POST["pass"]){$_SESSION['pass']=$_POST["pass"];$_SESSION['time']=time();}
                                                                                                                                  
if(isset($_SESSION['user']) && isset($_SESSION['pass']))
{
 checkPermissions("index.php");
}
                                                                                                                                  
?>
                                                                                                                                  
<html>
<head>
</head>
<body>
<form action="<?=$PHP_SELF;?>" method=POST>
<table align=center>
<tr><td>Login:</td><td><input type=text name=user></td></tr>
<tr><td>Password:</td><td><input type=password name=pass></td></tr>
<tr><td colspan=2 align=center><input type=submit name=btnsubmit value=Login></td></tr>
</table>
</body>
</html>

 

Step 3. Create logout.php file:

vi logout.php [still in the admin directory]

-- put this into the logout.php file --

<?
                                                                                                                                  
$PHP_SELF=$_SERVER["PHP_SELF"];
@include("permission/securityFunctions.inc.php");
endSession();
                                                                                                                                  
if(isset($_SESSION['user']) && isset($_SESSION['pass']))
{
 checkPermissions("index.php");
}
                                                                                                                                  
?>
                                                                                                                                  
<html>
<head>
</head>
<body>
<table align=center>
<tr><td><a href="login.php">Click Here To Log In</a></td></tr>
</table>
</body>
</html>

 

Step 4. edit all php files in admin directory

vi *.php [while in the admin directory still]

-- insert this code just after the php code begin "<?" line --

  @include("permission/securityFunctions.inc.php");
 checkPermissions();

 

Access your admin section and use your username/password...

 

Cheers.

 

-=-Mike

Link to comment
Share on other sites

Thank you for the mod!

 

I installed it in to my test site, but it seems to have one little bug..

If I click back and forth in the tools section I eventually get the login screen again. Other sections doesn't have this problem, only tools.

Same happens also if I start clicking from tools and continue to other sections.

 

And where is the logout supposed to show or is it? I can't see it anywhere.

Link to comment
Share on other sites

1.

Thank you for the mod!

 

2.

I installed it in to my test site, but it seems to have one little bug..

If I click back and forth in the tools section I eventually get the login screen again. Other sections doesn't have this problem, only tools.

Same happens also if I start clicking from tools and continue to other sections.

 

3.

And where is the logout supposed to show or is it? I can't see it anywhere.

 

1. Good to know someone finds it useful ;)

 

2. I'll have to try to 'break' it and find the repeatable or common reason...

If I'm correct in understanding you, you were not logged in, and where clicking around the tool pages of the admin section and then you became logged in? Or were you previously logged in and then out and clicking the back & forward buttons of the web browser?

 

3. In order to properly log out, you need to navigate to the logout page. I modified the template:

File: admin/includes/header.php

Notice the last item on this TD row is a link to the logout page.

    <td class="headerBarContent" align="right"><?php echo '<a href="http://www.oscommerce.com" class="headerLink">' . HEADER_TITLE_SUPPORT_SITE . '</a>  |  <a href="' . tep_catalog_href_link() . '" class="headerLink">' . HEADER_TITLE_ONLINE_CATALOG . '</a>  |  <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '" class="headerLink">' . HEADER_TITLE_ADMINISTRATION . '</a>'; ?>  |  <a class="headerLink" href="logout.php">Logout</a>  </td>

 

I also edited the index.php file so that its header [which is different here than the rest of the admin section] will also have the logout option:

            <td align="right" class="text" nowrap><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . HEADER_TITLE_ADMINISTRATION . '</a>  |  <a href="' . tep_catalog_href_link() . '">' . HEADER_TITLE_ONLINE_CATALOG . '</a>  |  <a href="http://www.oscommerce.com" target="_blank">' . HEADER_TITLE_SUPPORT_SITE . '</a>'; ?>  |  <a href="logout.php">Logout</a>  </td>

Link to comment
Share on other sites

In continuation of answering Question #2.

 

The "File Manager" page of the Admin->Tools logs out the user everytime. Looking for reason now...

Link to comment
Share on other sites

Found the reason:

The "File Manager" uses a session variable called "user".

 

I've modified all my instances of $_SESSION["user"] to now be $_SESSION["auth_user"] and it works now.

 

Files to make this modification in:

- admin/login.php

- admin/logout.php

- admin/permission/securityFunctions.inc.php

Link to comment
Share on other sites

I added 2 new features:

1] Stored password is now encrypted. So someone could gain access to read the text of the PHP file that holds the md5-encrypted version of your password, but it would do them no good.

In order to use this feature, you would have to run the file one time [after you install it, try to log in and see the message you get at the top of the web browser]

A) It shows your current password, and

B) your MD5 string that you need to copy and paste into the securityFunctions.php file -- just follow the instructions.

 

2] If you are trying to access a specific URL and have to log in first, then you currently would be sent to the index.php file. Now the code remembers where you were trying to go, and sends you to that page.

 

Code follows:

 

FILE: admin/permission/securityFunctions.inc.php

<?
## Edit these to configure the login authentication parameters to the ADMIN section.
$AUTH_ADMIN_USER="root";
$AUTH_ADMIN_PASS="password";
$AUTH_ADMIN_TIMEOUT=30*60; ## 30 minutes
$AUTH_LOGIN_URL="login.php";
$AUTH_CONTINUE_ACTION=1; ## [0/false/null/"" -> failed authentication goes to login then to $AUTH_LOGIN_URL]
                        ## all 'true' values -> after login if there was a previous page denied before login, go to that page
                                                                                                                                          
                                                                                                                                          
## run this one time, and then set $RUN_YET to 1
$RUN_YET=0;
if(!$RUN_YET)
{
 print "Your password is currently \"$AUTH_ADMIN_PASS\".<BR>\n";
 print "Your MD5 encrypted string is \"".md5($AUTH_ADMIN_PASS)."\"<BR>\n";
 print "Copy the string \"".md5($AUTH_ADMIN_PASS)."\" and put it into the variable \$AUTH_ADMIN_PASS in the file \"securityFuncitons.php\"<BR>\n";
 print "Then change the variable \$RUN_YET to be a 1 instead of a 0<BR>\n";
 exit;
}
## end of block
                                                                                                                                          
                                                                                                                                          
                                                                                                                                          
### FROB NO FURTHER - OR VENTURE AT OWN RISK ###
                                                                                                                                          
                                                                                                                                          
                                                                                                                                          
                                                                                                                                          
                                                                                                                                          
# the parameter _nextPage is the page that the user is sent to if
# the user is not allowed to view this page.
# if it is null (not provided) the user is sent to the login.php page
 function checkPermissions($_nextPage=null)
 {
   global $_POST; ## used to get the next_url [if it exists]
   global $_SESSION;
   global $AUTH_ADMIN_USER;
   global $AUTH_ADMIN_PASS;
   global $AUTH_ADMIN_TIMEOUT;
   global $AUTH_LOGIN_URL;
   global $AUTH_CONTINUE_ACTION;
   $D=0; ## DEBUG OUTPUT ON/OFF [0/null/false-> no output]
                                                                                                                                          
   $continue_url="";
   $continue_url = "?".$_SERVER["PHP_SELF"];
                                                                                                                                          
   if ($_SESSION['auth_user']==$AUTH_ADMIN_USER && md5($_SESSION['pass'])==$AUTH_ADMIN_PASS)
   {
       if ($_SESSION['time'] < (time() - $AUTH_ADMIN_TIMEOUT)) {
           if($D)print "checkPermissions:ENDofTIME<BR>\n";
           endSession();
           header("Location: $AUTH_LOGIN_URL$continue_url");
       } else {
           if($D)print "checkPermissions:OKAY<BR>\n";
           // let user in!
           $_SESSION['time'] = time(); # current time in seconds;
           if($_nextPage)
           {
             if($AUTH_CONTINUE_ACTION && $_POST['next_url'])
               header("Location: ".$_POST['next_url']);
             else
               header("Location: $_nextPage");
           }
       }
   }
   else
   {
       if($D)print "checkPermissions:BAD_AUTH User[".$_SESSION['auth_user']."] Pass[".$_SESSION['pass']."] Time[".$_SESSION['time']."]<BR>\n";
       if(!$_nextPage)
         header("Location: $AUTH_LOGIN_URL$continue_url");
       ## There is no else here because the user was not authenticated, and
       ## the user is at the login page already
   }
 }

 function endSession()
 {
   global $_SESSION;
   $_SESSION['auth_user']=null;
   session_destroy();
 }
 function startSession()
 {
   global $SESSION_STARTED;
   if(isset($SESSION_STARTED) && $SESSION_STARTED)
   {
     return;
   }
   else
   {
     session_start();
     $SESSION_STARTED=1;
   }
 }
 startSession();
                                                                                                                                          
?>

 

 

FILE: admin/login.php

<?
                                                                                                                                          
$PHP_SELF=$_SERVER["PHP_SELF"];
@include("permission/securityFunctions.inc.php");
                                                                                                                                          
if($_POST["user"]){$_SESSION['auth_user']=$_POST["user"];$_SESSION['time']=time();}
if($_POST["pass"]){$_SESSION['pass']=$_POST["pass"];$_SESSION['time']=time();}
                                                                                                                                          
if(isset($_SESSION['auth_user']) && isset($_SESSION['pass']))
{
 checkPermissions("index.php");
}
                                                                                                                                          
?>
                                                                                                                                          
<html>
<head>
<title>Admin Login Page</title>
<script>
function setNextUrl()
{
 var _url=document.location.toString();
 if(_url.indexOf("?")!=-1)
   document.form1.next_url.value=_url.split("?")[1];
}
</script>
</head>
<body onload="setNextUrl()">
<form name=form1 action="<?=$PHP_SELF;?>" method=POST>
<input type=hidden name=next_url value="">
<table align=center>
<tr><td>Login:</td><td><input type=text name=user></td></tr>
<tr><td>Password:</td><td><input type=password name=pass></td></tr>
<tr><td colspan=2 align=center><input type=submit name=btnsubmit value=Login></td></tr>
</table>
</body>
</html>

 

 

FILE: admin/logout.php [did not change]

<?
                                                                                                                                          
$PHP_SELF=$_SERVER["PHP_SELF"];
@include("permission/securityFunctions.inc.php");
endSession();
                                                                                                                                          
if(isset($_SESSION['auth_user']) && isset($_SESSION['pass']))
{
 checkPermissions("index.php");
}
                                                                                                                                          
?>
                                                                                                                                          
<html>
<head>
</head>
<body>
<table align=center>
<tr><td><a href="login.php">Click Here To Log In</a></td></tr>
</table>
</body>
</html>

 

Edit admin/index.php to add the logout lins:

            <td align="right" class="text" nowrap><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . HEADER_TITLE_ADMINISTRATION . '</a>  |  <a href="' . tep_catalog_href_link() . '">' . HEADER_TITLE_ONLINE_CATALOG . '</a>  |  <a href="http://www.oscommerce.com" target="_blank">' . HEADER_TITLE_SUPPORT_SITE . '</a>'; ?>  |  <a href="logout.php">Logout</a>  </td>

 

 

Edit admin/includes/header.php to add the logout link:

    <td class="headerBarContent" align="right"><?php echo '<a href="http://www.oscommerce.com" class="headerLink">' . HEADER_TITLE_SUPPORT_SITE . '</a>  |  <a href="' . tep_catalog_href_link() . '" class="headerLink">' . HEADER_TITLE_ONLINE_CATALOG . '</a>  |  <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '" class="headerLink">' . HEADER_TITLE_ADMINISTRATION . '</a>'; ?>  |  <a class="headerLink" href="logout.php">Logout</a>  </td>

Link to comment
Share on other sites

  • 5 weeks later...

Hello,

 

Thank you for your postings on this topic. I keep getting an error at the top of each admin page.

 

Warning: Cannot modify header information - headers already sent by (output started at /admin/permission/securityFunctions.inc.php:3) in /admin/permission/securityFunctions.inc.php on line 73

 

Any ideas on what I may be doing wrong?

 

Thanks - Adam

Link to comment
Share on other sites

The Location() code must run before any other HTTP traffic/output is sent.

 

If you have a blank space/line before the Location() code runs you will get this error.

Link to comment
Share on other sites

Warning: Cannot modify header information - headers already sent by (output started at /admin/permission/securityFunctions.inc.php:3) in /admin/permission/securityFunctions.inc.php on line 73
tells you that there is a blank line or other HTML at the beginning of /admin/permission/securityFunctions.inc.php

 

The Location header is created by tep_redirect automatically.

 

Hth,

Matt

Always back up before making changes.

Link to comment
Share on other sites

That also is an error I have seen many times with another script. Check your sessions in your php.ini. Make sure the directory is there and read/writable and make sure you have restarted our server if you have to change it.

 

Nice mod btw. Currently using it.

Semper Fi

Link to comment
Share on other sites

  • 1 month later...

Getting this error upon installation of your script, where do I look to fix?

 

Fatal error: Call to undefined function: checkpermissions() in /home/httpd/vhosts/txtreasures.com/httpdocs/Treasures/admin/index.php on line 3

Link to comment
Share on other sites

Getting this error upon installation of your script, where do I look to fix?

 

Fatal error: Call to undefined function: checkpermissions() in /home/httpd/vhosts/txtreasures.com/httpdocs/Treasures/admin/index.php on line 3

Did you create the directory "permission" under the admin directory?

 

In this "permission" directory, did you have the file "securityFunctions.inc.php"?

 

Are the permissiosns of the directory and the file set so they web browser process [userid] can access the fiels? [chmod 755 file]

 

 

It appears from your error that you are calling a function "checkpermissions()" which is not defined.

Did you have the include statement?

@include("permission/securityFunctions.inc.php");

Link to comment
Share on other sites

Yes, created the dir called permission and gave it 755. created the securityFunction.inc.php file and pasted in your info, changing the login and such, ran that file from a browser and pasted the md5 hash into the pw fields.

 

Added this per your directions at the start of this thread:

 

<?php
@include("permission/securityFunctions.inc.php");
checkPermissions();

 

copied and pasted all your code into the appropriate files and uploaded them so that the permissions and such would be set properly.

 

what should the permissions on login.php and logout.php be?

 

Thanks for getting back on this.

Link to comment
Share on other sites

<?php
@include("permission/securityFunctions.inc.php");
checkPermissions();

The error you are getting means that the include statement is not doing what we want it to do.

 

In PHP, the <b>@</b> [at sign] suppresses outputs, specifically in our case error messages.

 

If you change the code by removing the "@", you will be able to see the exact error message that the include call returns.

[code[

include("permission/securityFunctions.inc.php");

[/code]

 

Please do this and see what the error statement is that the include() call returns when you run it after making this code-update.

 

File permissions should be "chmod 755".

Link to comment
Share on other sites

Ok, figured out the problem with the errors.. typo on my part, called securityFunctions.inc.php >>> securityFunction.inc.php (had dropped the "s")

 

Ok, now my problem is I keep getting the security page. by that I mean the output from securityFunctions.inc.php, doesn't matter if I call /admin/index.php or login.php.. I get the hash page..

 

Where am I going wrong..?

 

Just a couple of quick notes:

 

1) running php 4.3.8

2) in php.ini globals are off.

Link to comment
Share on other sites

  • 3 weeks later...
  • 5 months later...

I have followed all the changes and recommendations, now getting this error:

Parse error: parse error in /var/www/html/catalog/admin/permission/securityFunctions.inc.php on line 15

 

Please help, and thanks in advance.

Mark057

Link to comment
Share on other sites

hey guys,

 

From the looks of things this appears to be an awesome mod, and the installation instructions have been great. I am experiencing slight problems, however. I copied the second version of the code provided (with the encrypted password), created the necessary files, added the logout code segments to the index and header files, etc. When I go to admin/index.php though, I get the following error:

 

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php:2) in /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php on line 93

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php:2) in /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php on line 93

Warning: Cannot modify header information - headers already sent by (output started at /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php:2) in /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php on line 72

 

the admin tools all still show up, but these errors are on the top of the page. When I take the code segment

include("permission/securityFunctions.inc.php");
checkPermissions();

out of admin/index.php, the errors go away. The only thing I can think of is that I'm messing up where this should go? The way my index.php file looks in my text editor is as follows:

 

<?php
include("permission/securityFunctions.inc.php");
checkPermissions();
/*
 $Id: index.php,v 1.19 2003/06/27 09:38:31 dgw_ Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/


 require('includes/application_top.php');

 $cat = ...

 

any ideas?

Link to comment
Share on other sites

I started from scratch, and made all the changes from the beginning. It works; :) but now my screens are preceded with a dozen "n's" on both the index and the file_manager pages! :( Is there a missing close TD or something? Please let me know. I can work with it like this; but it is annoying. :angry:

Mark057

Link to comment
Share on other sites

I have followed all the changes and recommendations, now getting this error:

Parse error: parse error in /var/www/html/catalog/admin/permission/securityFunctions.inc.php on line 15

 

Please help, and thanks in advance.

 

Yet another error! :angry: How can anyone get this to work?

 

Parse error: parse error, expecting `','' or `';'' in /var/www/html/catalog/admin/orders.php on line 371

 

Can ANYONE get back with me?

Mark057

Link to comment
Share on other sites

Yet another error! :angry: How can anyone get this to work?

 

Parse error: parse error, expecting `','' or `';'' in /var/www/html/catalog/admin/orders.php on line 371

 

Can ANYONE get back with me?

 

NEVER MIND! :thumbsup:

 

The answer was found in another Forum, about having to upload the files in Binary mode - even though they are ASCII files. I still have issues; but will continue to work on them through the other Forums. Hope this information helps others who forget about those nasty invisible line feeds! :o

Mark057

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...