jsx Posted July 4, 2004 Share Posted July 4, 2004 This mod will enable a simple user authentication for admin access. Step 1: cd admin mkdir permission vi permission/securityFunctions.inc.php -- Put this into that file: -- Note the Username: root and Password: password is set here -- Note that the timeout period for inactivity is set here - currently to 30 minutes. <? function checkPermissions($_nextPage=null) { global $_SESSION; $D=0; $TIMEOUT=30*60; # 30 seconds * 60 = 30 minutes if ($_SESSION['user']=="root" && $_SESSION['pass']=="password") { if ($_SESSION['time'] < (time() - $TIMEOUT)) { if($D)print "checkPermissions:ENDofTIME<BR>\n"; endSession(); header("Location: login.php"); } else { if($D)print "checkPermissions:OKAY<BR>\n"; // let user in! $_SESSION['time'] = time(); # current time in seconds; if($_nextPage){header("Location: $_nextPage");} } } else { if($D)print "checkPermissions:BAD_AUTH<BR>\n"; if(!$_nextPage) header("Location: login.php"); } } function endSession() { global $_SESSION; $_SESSION['user']=null; session_destroy(); } function startSession() { global $SESSION_STARTED; if(isset($SESSION_STARTED) && $SESSION_STARTED) { return; } else { session_start(); $SESSION_STARTED=1; } } startSession(); ?> step 2: create login.php file vi login.php [still in the admin directory] -- put this into the login.php file -- <? $PHP_SELF=$_SERVER["PHP_SELF"]; @include("permission/securityFunctions.inc.php"); if($_POST["user"]){$_SESSION['user']=$_POST["user"];$_SESSION['time']=time();} if($_POST["pass"]){$_SESSION['pass']=$_POST["pass"];$_SESSION['time']=time();} if(isset($_SESSION['user']) && isset($_SESSION['pass'])) { checkPermissions("index.php"); } ?> <html> <head> </head> <body> <form action="<?=$PHP_SELF;?>" method=POST> <table align=center> <tr><td>Login:</td><td><input type=text name=user></td></tr> <tr><td>Password:</td><td><input type=password name=pass></td></tr> <tr><td colspan=2 align=center><input type=submit name=btnsubmit value=Login></td></tr> </table> </body> </html> Step 3. Create logout.php file: vi logout.php [still in the admin directory] -- put this into the logout.php file -- <? $PHP_SELF=$_SERVER["PHP_SELF"]; @include("permission/securityFunctions.inc.php"); endSession(); if(isset($_SESSION['user']) && isset($_SESSION['pass'])) { checkPermissions("index.php"); } ?> <html> <head> </head> <body> <table align=center> <tr><td><a href="login.php">Click Here To Log In</a></td></tr> </table> </body> </html> Step 4. edit all php files in admin directory vi *.php [while in the admin directory still] -- insert this code just after the php code begin "<?" line -- @include("permission/securityFunctions.inc.php"); checkPermissions(); Access your admin section and use your username/password... Cheers. -=-Mike Link to comment Share on other sites More sharing options...
mikkomu Posted July 6, 2004 Share Posted July 6, 2004 Thank you for the mod! I installed it in to my test site, but it seems to have one little bug.. If I click back and forth in the tools section I eventually get the login screen again. Other sections doesn't have this problem, only tools. Same happens also if I start clicking from tools and continue to other sections. And where is the logout supposed to show or is it? I can't see it anywhere. Link to comment Share on other sites More sharing options...
jsx Posted July 6, 2004 Author Share Posted July 6, 2004 1. Thank you for the mod! 2. I installed it in to my test site, but it seems to have one little bug.. If I click back and forth in the tools section I eventually get the login screen again. Other sections doesn't have this problem, only tools. Same happens also if I start clicking from tools and continue to other sections. 3. And where is the logout supposed to show or is it? I can't see it anywhere. 1. Good to know someone finds it useful ;) 2. I'll have to try to 'break' it and find the repeatable or common reason... If I'm correct in understanding you, you were not logged in, and where clicking around the tool pages of the admin section and then you became logged in? Or were you previously logged in and then out and clicking the back & forward buttons of the web browser? 3. In order to properly log out, you need to navigate to the logout page. I modified the template: File: admin/includes/header.php Notice the last item on this TD row is a link to the logout page. <td class="headerBarContent" align="right"><?php echo '<a href="http://www.oscommerce.com" class="headerLink">' . HEADER_TITLE_SUPPORT_SITE . '</a> | <a href="' . tep_catalog_href_link() . '" class="headerLink">' . HEADER_TITLE_ONLINE_CATALOG . '</a> | <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '" class="headerLink">' . HEADER_TITLE_ADMINISTRATION . '</a>'; ?> | <a class="headerLink" href="logout.php">Logout</a> </td> I also edited the index.php file so that its header [which is different here than the rest of the admin section] will also have the logout option: <td align="right" class="text" nowrap><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . HEADER_TITLE_ADMINISTRATION . '</a> | <a href="' . tep_catalog_href_link() . '">' . HEADER_TITLE_ONLINE_CATALOG . '</a> | <a href="http://www.oscommerce.com" target="_blank">' . HEADER_TITLE_SUPPORT_SITE . '</a>'; ?> | <a href="logout.php">Logout</a> </td> Link to comment Share on other sites More sharing options...
jsx Posted July 6, 2004 Author Share Posted July 6, 2004 In continuation of answering Question #2. The "File Manager" page of the Admin->Tools logs out the user everytime. Looking for reason now... Link to comment Share on other sites More sharing options...
jsx Posted July 6, 2004 Author Share Posted July 6, 2004 Found the reason: The "File Manager" uses a session variable called "user". I've modified all my instances of $_SESSION["user"] to now be $_SESSION["auth_user"] and it works now. Files to make this modification in: - admin/login.php - admin/logout.php - admin/permission/securityFunctions.inc.php Link to comment Share on other sites More sharing options...
jsx Posted July 6, 2004 Author Share Posted July 6, 2004 I added 2 new features: 1] Stored password is now encrypted. So someone could gain access to read the text of the PHP file that holds the md5-encrypted version of your password, but it would do them no good. In order to use this feature, you would have to run the file one time [after you install it, try to log in and see the message you get at the top of the web browser] A) It shows your current password, and B) your MD5 string that you need to copy and paste into the securityFunctions.php file -- just follow the instructions. 2] If you are trying to access a specific URL and have to log in first, then you currently would be sent to the index.php file. Now the code remembers where you were trying to go, and sends you to that page. Code follows: FILE: admin/permission/securityFunctions.inc.php <? ## Edit these to configure the login authentication parameters to the ADMIN section. $AUTH_ADMIN_USER="root"; $AUTH_ADMIN_PASS="password"; $AUTH_ADMIN_TIMEOUT=30*60; ## 30 minutes $AUTH_LOGIN_URL="login.php"; $AUTH_CONTINUE_ACTION=1; ## [0/false/null/"" -> failed authentication goes to login then to $AUTH_LOGIN_URL] ## all 'true' values -> after login if there was a previous page denied before login, go to that page ## run this one time, and then set $RUN_YET to 1 $RUN_YET=0; if(!$RUN_YET) { print "Your password is currently \"$AUTH_ADMIN_PASS\".<BR>\n"; print "Your MD5 encrypted string is \"".md5($AUTH_ADMIN_PASS)."\"<BR>\n"; print "Copy the string \"".md5($AUTH_ADMIN_PASS)."\" and put it into the variable \$AUTH_ADMIN_PASS in the file \"securityFuncitons.php\"<BR>\n"; print "Then change the variable \$RUN_YET to be a 1 instead of a 0<BR>\n"; exit; } ## end of block ### FROB NO FURTHER - OR VENTURE AT OWN RISK ### # the parameter _nextPage is the page that the user is sent to if # the user is not allowed to view this page. # if it is null (not provided) the user is sent to the login.php page function checkPermissions($_nextPage=null) { global $_POST; ## used to get the next_url [if it exists] global $_SESSION; global $AUTH_ADMIN_USER; global $AUTH_ADMIN_PASS; global $AUTH_ADMIN_TIMEOUT; global $AUTH_LOGIN_URL; global $AUTH_CONTINUE_ACTION; $D=0; ## DEBUG OUTPUT ON/OFF [0/null/false-> no output] $continue_url=""; $continue_url = "?".$_SERVER["PHP_SELF"]; if ($_SESSION['auth_user']==$AUTH_ADMIN_USER && md5($_SESSION['pass'])==$AUTH_ADMIN_PASS) { if ($_SESSION['time'] < (time() - $AUTH_ADMIN_TIMEOUT)) { if($D)print "checkPermissions:ENDofTIME<BR>\n"; endSession(); header("Location: $AUTH_LOGIN_URL$continue_url"); } else { if($D)print "checkPermissions:OKAY<BR>\n"; // let user in! $_SESSION['time'] = time(); # current time in seconds; if($_nextPage) { if($AUTH_CONTINUE_ACTION && $_POST['next_url']) header("Location: ".$_POST['next_url']); else header("Location: $_nextPage"); } } } else { if($D)print "checkPermissions:BAD_AUTH User[".$_SESSION['auth_user']."] Pass[".$_SESSION['pass']."] Time[".$_SESSION['time']."]<BR>\n"; if(!$_nextPage) header("Location: $AUTH_LOGIN_URL$continue_url"); ## There is no else here because the user was not authenticated, and ## the user is at the login page already } } function endSession() { global $_SESSION; $_SESSION['auth_user']=null; session_destroy(); } function startSession() { global $SESSION_STARTED; if(isset($SESSION_STARTED) && $SESSION_STARTED) { return; } else { session_start(); $SESSION_STARTED=1; } } startSession(); ?> FILE: admin/login.php <? $PHP_SELF=$_SERVER["PHP_SELF"]; @include("permission/securityFunctions.inc.php"); if($_POST["user"]){$_SESSION['auth_user']=$_POST["user"];$_SESSION['time']=time();} if($_POST["pass"]){$_SESSION['pass']=$_POST["pass"];$_SESSION['time']=time();} if(isset($_SESSION['auth_user']) && isset($_SESSION['pass'])) { checkPermissions("index.php"); } ?> <html> <head> <title>Admin Login Page</title> <script> function setNextUrl() { var _url=document.location.toString(); if(_url.indexOf("?")!=-1) document.form1.next_url.value=_url.split("?")[1]; } </script> </head> <body onload="setNextUrl()"> <form name=form1 action="<?=$PHP_SELF;?>" method=POST> <input type=hidden name=next_url value=""> <table align=center> <tr><td>Login:</td><td><input type=text name=user></td></tr> <tr><td>Password:</td><td><input type=password name=pass></td></tr> <tr><td colspan=2 align=center><input type=submit name=btnsubmit value=Login></td></tr> </table> </body> </html> FILE: admin/logout.php [did not change] <? $PHP_SELF=$_SERVER["PHP_SELF"]; @include("permission/securityFunctions.inc.php"); endSession(); if(isset($_SESSION['auth_user']) && isset($_SESSION['pass'])) { checkPermissions("index.php"); } ?> <html> <head> </head> <body> <table align=center> <tr><td><a href="login.php">Click Here To Log In</a></td></tr> </table> </body> </html> Edit admin/index.php to add the logout lins: <td align="right" class="text" nowrap><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . HEADER_TITLE_ADMINISTRATION . '</a> | <a href="' . tep_catalog_href_link() . '">' . HEADER_TITLE_ONLINE_CATALOG . '</a> | <a href="http://www.oscommerce.com" target="_blank">' . HEADER_TITLE_SUPPORT_SITE . '</a>'; ?> | <a href="logout.php">Logout</a> </td> Edit admin/includes/header.php to add the logout link: <td class="headerBarContent" align="right"><?php echo '<a href="http://www.oscommerce.com" class="headerLink">' . HEADER_TITLE_SUPPORT_SITE . '</a> | <a href="' . tep_catalog_href_link() . '" class="headerLink">' . HEADER_TITLE_ONLINE_CATALOG . '</a> | <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '" class="headerLink">' . HEADER_TITLE_ADMINISTRATION . '</a>'; ?> | <a class="headerLink" href="logout.php">Logout</a> </td> Link to comment Share on other sites More sharing options...
adam70701 Posted August 5, 2004 Share Posted August 5, 2004 Hello, Thank you for your postings on this topic. I keep getting an error at the top of each admin page. Warning: Cannot modify header information - headers already sent by (output started at /admin/permission/securityFunctions.inc.php:3) in /admin/permission/securityFunctions.inc.php on line 73 Any ideas on what I may be doing wrong? Thanks - Adam Link to comment Share on other sites More sharing options...
jsx Posted August 5, 2004 Author Share Posted August 5, 2004 The Location() code must run before any other HTTP traffic/output is sent. If you have a blank space/line before the Location() code runs you will get this error. Link to comment Share on other sites More sharing options...
adam70701 Posted August 5, 2004 Share Posted August 5, 2004 Thank you for your response - If it weren't for your detailed instructions I would be in way over my head. Where can I find the Location()Code in the files? Link to comment Share on other sites More sharing options...
♥ecartz Posted August 5, 2004 Share Posted August 5, 2004 Warning: Cannot modify header information - headers already sent by (output started at /admin/permission/securityFunctions.inc.php:3) in /admin/permission/securityFunctions.inc.php on line 73tells you that there is a blank line or other HTML at the beginning of /admin/permission/securityFunctions.inc.php The Location header is created by tep_redirect automatically. Hth, Matt Always back up before making changes. Link to comment Share on other sites More sharing options...
flyingwolf Posted August 8, 2004 Share Posted August 8, 2004 That also is an error I have seen many times with another script. Check your sessions in your php.ini. Make sure the directory is there and read/writable and make sure you have restarted our server if you have to change it. Nice mod btw. Currently using it. Semper Fi Link to comment Share on other sites More sharing options...
Guest Posted September 15, 2004 Share Posted September 15, 2004 Getting this error upon installation of your script, where do I look to fix? Fatal error: Call to undefined function: checkpermissions() in /home/httpd/vhosts/txtreasures.com/httpdocs/Treasures/admin/index.php on line 3 Link to comment Share on other sites More sharing options...
jsx Posted September 15, 2004 Author Share Posted September 15, 2004 Getting this error upon installation of your script, where do I look to fix? Fatal error: Call to undefined function: checkpermissions() in /home/httpd/vhosts/txtreasures.com/httpdocs/Treasures/admin/index.php on line 3 Did you create the directory "permission" under the admin directory? In this "permission" directory, did you have the file "securityFunctions.inc.php"? Are the permissiosns of the directory and the file set so they web browser process [userid] can access the fiels? [chmod 755 file] It appears from your error that you are calling a function "checkpermissions()" which is not defined. Did you have the include statement? @include("permission/securityFunctions.inc.php"); Link to comment Share on other sites More sharing options...
jsx Posted September 15, 2004 Author Share Posted September 15, 2004 Nice mod btw. Currently using it. Cool - glad to hear that it works for others! :) Link to comment Share on other sites More sharing options...
Guest Posted September 16, 2004 Share Posted September 16, 2004 Yes, created the dir called permission and gave it 755. created the securityFunction.inc.php file and pasted in your info, changing the login and such, ran that file from a browser and pasted the md5 hash into the pw fields. Added this per your directions at the start of this thread: <?php @include("permission/securityFunctions.inc.php"); checkPermissions(); copied and pasted all your code into the appropriate files and uploaded them so that the permissions and such would be set properly. what should the permissions on login.php and logout.php be? Thanks for getting back on this. Link to comment Share on other sites More sharing options...
jsx Posted September 16, 2004 Author Share Posted September 16, 2004 <?php @include("permission/securityFunctions.inc.php"); checkPermissions(); The error you are getting means that the include statement is not doing what we want it to do. In PHP, the <b>@</b> [at sign] suppresses outputs, specifically in our case error messages. If you change the code by removing the "@", you will be able to see the exact error message that the include call returns. [code[ include("permission/securityFunctions.inc.php"); [/code] Please do this and see what the error statement is that the include() call returns when you run it after making this code-update. File permissions should be "chmod 755". Link to comment Share on other sites More sharing options...
Guest Posted September 20, 2004 Share Posted September 20, 2004 Ok, figured out the problem with the errors.. typo on my part, called securityFunctions.inc.php >>> securityFunction.inc.php (had dropped the "s") Ok, now my problem is I keep getting the security page. by that I mean the output from securityFunctions.inc.php, doesn't matter if I call /admin/index.php or login.php.. I get the hash page.. Where am I going wrong..? Just a couple of quick notes: 1) running php 4.3.8 2) in php.ini globals are off. Link to comment Share on other sites More sharing options...
Guest Posted October 6, 2004 Share Posted October 6, 2004 Would anyone be willing to turn this into a contribution with easy to follow instructions? Link to comment Share on other sites More sharing options...
mark057 Posted March 8, 2005 Share Posted March 8, 2005 I have followed all the changes and recommendations, now getting this error: Parse error: parse error in /var/www/html/catalog/admin/permission/securityFunctions.inc.php on line 15 Please help, and thanks in advance. Mark057 Link to comment Share on other sites More sharing options...
Mets Posted March 12, 2005 Share Posted March 12, 2005 hey guys, From the looks of things this appears to be an awesome mod, and the installation instructions have been great. I am experiencing slight problems, however. I copied the second version of the code provided (with the encrypted password), created the necessary files, added the logout code segments to the index and header files, etc. When I go to admin/index.php though, I get the following error: Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php:2) in /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php on line 93 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php:2) in /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php on line 93 Warning: Cannot modify header information - headers already sent by (output started at /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php:2) in /home/mets/public_html/catalog/admin/permission/securityFunctions.inc.php on line 72 the admin tools all still show up, but these errors are on the top of the page. When I take the code segment include("permission/securityFunctions.inc.php"); checkPermissions(); out of admin/index.php, the errors go away. The only thing I can think of is that I'm messing up where this should go? The way my index.php file looks in my text editor is as follows: <?php include("permission/securityFunctions.inc.php"); checkPermissions(); /* $Id: index.php,v 1.19 2003/06/27 09:38:31 dgw_ Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2003 osCommerce Released under the GNU General Public License */ require('includes/application_top.php'); $cat = ... any ideas? Link to comment Share on other sites More sharing options...
mark057 Posted March 14, 2005 Share Posted March 14, 2005 I started from scratch, and made all the changes from the beginning. It works; :) but now my screens are preceded with a dozen "n's" on both the index and the file_manager pages! :( Is there a missing close TD or something? Please let me know. I can work with it like this; but it is annoying. :angry: Mark057 Link to comment Share on other sites More sharing options...
mark057 Posted March 14, 2005 Share Posted March 14, 2005 I have followed all the changes and recommendations, now getting this error:Parse error: parse error in /var/www/html/catalog/admin/permission/securityFunctions.inc.php on line 15 Please help, and thanks in advance. <{POST_SNAPBACK}> Yet another error! :angry: How can anyone get this to work? Parse error: parse error, expecting `','' or `';'' in /var/www/html/catalog/admin/orders.php on line 371 Can ANYONE get back with me? Mark057 Link to comment Share on other sites More sharing options...
mark057 Posted March 15, 2005 Share Posted March 15, 2005 Yet another error! :angry: How can anyone get this to work? Parse error: parse error, expecting `','' or `';'' in /var/www/html/catalog/admin/orders.php on line 371 Can ANYONE get back with me? <{POST_SNAPBACK}> NEVER MIND! :thumbsup: The answer was found in another Forum, about having to upload the files in Binary mode - even though they are ASCII files. I still have issues; but will continue to work on them through the other Forums. Hope this information helps others who forget about those nasty invisible line feeds! :o Mark057 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.