php - Infinite loop on login redirect -


i have login script works me, goes infinite loop on redirecting after checking cookie stored login. browser report following: "firefox has detected server redirecting request address in way never complete." others have reported issue too. below key elements of login process. wonder if can see issue process/script.

thanks,

nick

first @ top of each page protected:

<?php session_start();  $_session['url'] = $_server['request_uri'];  require('login/config.php'); require('login/functions.php');   if (allow_access(users) != "yes") {  include ('login/check_login.php');  exit; } ?>

then in check_login.php:

<? session_start();  //check see if user has open session if (($_session[user_name] != "") && ($_session[password] != "")) {      header("location:$_session[redirect]");     exit; }  $lr_user = $_cookie['lr_user']; $lr_pass = $_cookie['lr_pass'];  //check see if cookies have been set if(($lr_user != "") && ($lr_pass != "")) {     header("location:/login/redirect.php");     exit; }  //if neither true, redirect login     header("location:/login/login.php");  ?>

then, in redirect.php:

<? session_start();  //require functions file require ("config.php"); require ("functions.php");  $lr_user = $_cookie['lr_user']; $lr_pass = $_cookie['lr_pass'];  //check see if cookies set, remember me if ((!$lr_user) || (!$lr_pass)) {  $username = $_post[username]; $password = $_post[password];  }else{  $username = $lr_user; $password = $lr_pass;  }  //sets cookies remember computer if user asks if ($_post[remember] == "yes") { setcookie("lr_user", $username, $duration, "/", $domain); setcookie("lr_pass", $password, $duration, "/", $domain); }  //sets session variables sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $username, $password);  if(isset($_session['url']))   $_session[redirect] = $_session['url']; // holds url last page visited. else     $_session[redirect] = "/index.php"; // default page  //redirects user     header("location:$_session[redirect]"); ?>

functions.php

<?php  //function date function last_login() {     $date = gmdate("y-m-d");     return $date; }  //function sets session variable function sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $username, $password) {      //make connection dbase     $connection = @mysql_connect($server, $dbusername, $dbpassword)                 or die(mysql_error());      $db = @mysql_select_db($db_name,$connection)                 or die(mysql_error());      $sql = "select * $table_name username = '$username' , password = password('$password')";      $result = @mysql_query($sql, $connection) or die(mysql_error());       //get number of rows in result set     $num = mysql_num_rows($result);      //set session variables if there match     if ($num != 0)      {         while ($sql = mysql_fetch_object($result))          {             $_session[first_name]   = $sql -> firstname;             $_session[last_name]    = $sql -> lastname;              $_session[user_name]    = $sql -> username;                    $_session[password]     = $sql -> password;             $_session[group1]       = $sql -> group1;             $_session[group2]       = $sql -> group2;             $_session[group3]       = $sql -> group3;             $_session[pchange]      = $sql -> pchange;               $_session[email]        = $sql -> email;             $_session[redirect]     = $sql -> redirect;             $_session[verified]     = $sql -> verified;             $_session[last_login]   = $sql -> last_login;         }     }else{         $_session[redirect] = "$base_dir/errorlogin.php";     } }   //functions determine if access allowed function allow_access($group) {     if ($_session[group1] == "$group" || $_session[group2] == "$group" || $_session[group3] == "$group" ||         $_session[group1] == "administrators" || $_session[group2] == "administrators" || $_session[group3] == "administrators" ||         $_session[user_name] == "$group")         {             $allowed = "yes";         }else{             $allowed = "no";         }     return $allowed; }  //function check length of requested password function password_check($min_pass, $max_pass, $pass) {      $valid = "yes";     if ($min_pass > strlen($pass) || $max_pass < strlen($pass))     {         $valid = "no";     }      return $valid; }  ?>

config.php

<?  //set names of database , table $db_name =""; $table_name ="authorize";  //connect server , select database $server = "localhost"; $dbusername = ""; $dbpassword = "*";  //domain information $domain = "";  //change "0" turn off login log $log_login = "1";  //base_dir location of files, ie http://www.yourdomain/login $base_dir = "";  //length of time cookie - 7 days , 24 hours //if time short, 1 hour, change 60*60*1 $duration = time()+60*60*24*365*10;  //the site administrator\'s email address $adminemail = "";  //sets time est $zone=3600*00;  //do want verify new user through email if user registers themselves? //yes = "0" :  no = "1" $verify = "0";  //default redirect, url self-registered users redirected $default_url = "";  //minimum , maximum password lengths $min_pass = 8; $max_pass = 15;   $num_groups = 0+2; $group_array = array("users","administrators");  ?>

edit - try this:

i think problem assume trying protect 'all' pages include index.php. have included index.php page in $_session[redirect] variable. should think along lines of:

  1. user trys access page
  2. you should check if allowed to
  3. if allowed to, let them view page without interruption
  4. if not (i.e not logged in) - redirect them login page

your script trying still redirect them if allowed view page (which causing loop problem).

it subtle difference, important 1 (especially protecting pages).

i try this:

at top of protected pages change bottom snippet to:

if (allow_access(users) != "yes") {      include ('login/check_login.php');      check_redirect(); }

in check_login.php try this:

<? session_start();  function check_redirect() {      //check see if user has open session     if (($_session[user_name] != "") && ($_session[password] != ""))     {        // return if valid user (no need redirect them)        return;     }      $lr_user = $_cookie['lr_user'];     $lr_pass = $_cookie['lr_pass'];      //check see if cookies have been set     if(($lr_user != "") && ($lr_pass != ""))     {        // return if valid user (no need redirect them)        return;     }      //if neither true, redirect login     header("location:/login/login.php");     die();  }   ?>

your redirect.php not needed soley protecting pages, assume use actual login.php script, therefore:

$_session['url']

would have stored page trying to, , redirect.php / login.php script should use redirect them there after successful login.

lastly above untested code should work better had, let me know how on.

to honest quite hard determine wrong code because there still few unknown variables, such config , functions files , function:

if (allow_access(users) != "yes")

which assume users should 'users', likewise unless loosely typed question variables have $_session[user_name] must make sure correctly add apostrophes or notices on place (undefined variable, assumed...etc etc) not mention mess session data.

perhaps if offered advice on current code, may able try things fix code.

multiple redirects / scripts

i firstly rewrite check_login.php , redirect.php scripts - fact have 2 separate scripts (which combined) give problems @ stage, because redirecting redirect (which isn't logically when out loud). firstly rewrite scripts 1 'auth.php' script. , simplify include pages require authentication, example:

<?php     session_start();      // use require_once login scripts, not 'include' want error      // occur halt page processing if file not found, include     // give warning still continue page processing (which you're trying     // protect). lastly '_once' don't multiple inclusions of same     // script accident (which import login / redirect scripts).      require_once('login/auth.php');      // create 1 function proxy other functions / includes     // exclude function , use require_once file direct      // access - including function make easier understand.     check_login(); ?>

now auth.php file:

<?php     session_start();      // if these required use _once. guess of these 'functions'     // may able included within 'auth.php' file directly?     require_once('login/config.php');     require_once('login/functions.php');       // set variables here     $_session['url'] = $_server['request_uri'];      // main check login function     function check_login()      {          // check if user logged in / needs logged in         // perhaps allow_access() function?          // checks session / cookie should resolve checks         // simple bool variable (i.e. if user valid or not)         $userisvalid = true || false; // above code          // use redirect function , pass in $userisvalid variable         // tell redirect() function redirect to.         redirect($userisvalid);      }      // use separate function redirect keep cleaner      // not sure on url's have floating around in code     // think either want let them proceed page     // trying view (if validated) or want them login?           function redirect($validuser = false)     {         // if user valid, return don't have redirect them         if ( $validuser ) {             return true;         }         // otherwise redirect them login page         header("location:/login/login.php");         die();     }  ?>

security

you don't need (and shouldn't!) storing actual password in session, , advice against cookie also. if must store password / username in cookie, @ least must encrypt using md5() salt, etc. in nutshell rather checking $_session['user_name'] , $_session['password'] like:

// if user has no valid session something: if ( !isset($_session['id']) ) {   }

separation of concerns

i'm not sure why have:

$username = $_post[username]; $password = $_post[password];

within redirect.php file, using script when users login? don't think it's idea if (which may problem). should have separate script handle actual login functionality (including redirect after logging in). above should concerned a) checking if user valid / logged in b) redirecting them if not - protecting web page(s).

your code:

//check see if user has open session if (($_session[user_name] != "") && ($_session[password] != "")) {      header("location:$_session[redirect]");     exit; }

i'm not sure bit in context, redirecting them if have valid session? scratch don't understand whole check_login.php script, things bit backwards (especially when combined redirect.php script). checking same variables again ($lr_user) || (!$lr_pass) in redirect script , making reference things have not been set in check_login.php script.

edit: solution? unless have on looked above code block makes reference $_session['redirect'], think should either $_session['url'] or don't redirect them. $_session['redirect'] doesn't set until redirect.php script (which may not called if session exists).

final thoughts:

sorry if doesn't answer question have liked think opportunity take @ script(s) , clean / simplify them. ideally should @ oop approach, i.e. create session, redirect, login class. if sticking plain functions (procedural) make sure create clean separation each script. in nutshell:

  • don't repeat yourself, example why have both $_session['redirect'] , $_session['url'] these same value?
  • don't redirect redirect (one script should handle this)
  • separate concerns - have login script doing login process , authentication / acl script securing actual pages (don't combine two).

hope above makes sense, let me know if not.


Comments

Post a Comment

Popular posts from this blog

java - Play! framework 2.0: How to display multiple image? -

i need display gallery of photos. here template: @(photos: list[photo]) @title = { <bold>gallery</bold> } @main(title,"photo"){ <ul class="thumbnails"> @for(photo <- photos) { <li class="span3"> <a href="#" class="thumbnail"> <img src="@photo.path" alt=""> </a> </li> } </ul> } and here controller method: public static result getphotos() { return ok(views.html.photo.gallery.render(photo.get())); } and here photo bean : @entity public class photo extends model { @id public long id; @required public string label; public string path; public photo(string path, string label) { this.path = path; this.label = label; } private static finder<long, photo> find = new finder<long, photo>( long.class, photo.class); public static list<phot...
Read more

gmail - Is there any documentation for read-only access to the Google Contacts API? -

i want read-only access user's google contacts. there stackoverflow member wanted this, , received following answer : yes, there is, use https://www.googleapis.com/auth/contacts.readonly scope , "view contacts". this exchange reference read-only access google contacts can find using google. simply using access token obtained attempt read usual google contacts api (i.e. https://www.google.com/m8/feeds ) fails insufficient permissions. similarly, using google contacts api on new target fails 404 errors (for example https://www.googleapis.com/auth/contacts.readonly/default/full ). is there documentation anywhere on how use api, or permissible way access google contacts api full read-write access?
Read more

php - Controller/JToolBar not working in Joomla 2.5 -

relevant code: jtoolbarhelper::custom('savecategories', 'save', '', 'save', false, false); ... <input type="hidden" name="controller" value="easyblogcontroller"> according can dig docs , own previous questions, should call savecategories() function in easyblogcontroller . i've tried setting value easyblog , easyblog.php (file name) current easyblogcontroller (class name). clicking on save button refreshes page. not redirect, echo or var_dump test code put in savecategories() function. var_dump ing jrequest::getvar('controller') , 'task' return correct values. creating controller object , using $controller->execute('task'); works. the values going depend on location of controller trying call, , have couple options here. typically there controller in base folder of component (likely components/com_easyblog) in file called controller.php , class name inside ...
Read more