Authentication Confusion

[Daniel Shanahan]

I am trying to create a login process based on the Accounts and Privileges in FMP. I have, as a guide, Johnathan Stark's article "Deliver Secure Web Applications with PHP and FileMaker Pro" from the February/March 2008 issue of FileMaker Advisor. Copying Johnathan's code is no problem and I understand how it works. However, I'm trying to do it a little different:

1. I have an "includes" folder which contains, among other things, a header.php file. This way I only have to go to one place to change things like the horizontal navigation.

2. The "includes" folder also has a functions.php file (based on Lance Hallberg's DVD series "FileMaker 9 & PHP Foundations")

3. The login page is Index.php

I think I'm creating a bit of a circle, but I can't seem to get it clear in my head. The user fills out the form in Index.php which creates a Session. The Session provides the db_connect() function (in functions.php) with the username and password (whether storing a username and password is secure in a Session is another topic - I'd like to hear more about this, but for now I'm just trying to get this thing to work). The user is then taken to a dashboard. The header.php file calls the db_connect() function so the methods are (theoretically) available for all the pages. Finally, all pages have the following:

if ($_SESSION['authenticated'] == False ) {

	header('Location: index.php');

}

There are a number of things wrong with my system:



1. Even with the wrong username/password, access is granted.

2. With the correct username/password, I receive the same error messages (and granted access):

Fatal error: Call to a member function newFindCommand() on a non-object in /Applications/MAMP/htdocs/FMP_Justic_POC/studio_list.php on line 10



Notice: Undefined index: authenticated in /Applications/MAMP/htdocs/FMP_Justic_POC/dashboard.php on line 3



Warning: Cannot modify header information - headers already sent by (output started at /Applications/MAMP/htdocs/FMP_Justic_POC/dashboard.php:3) in /Applications/MAMP/htdocs/FMP_Justic_POC/dashboard.php on line 4

Here is my relevant code for the files:



index.php

<?php

	session_start ();

	require ('includes/header.php');

	date_default_timezone_set('America/Detroit');



// 1. Log in successful - Session in process

if (isset ($_SESSION['authenticated']) && $_SESSION['authenticated'] == True ) {

	ob_end_clean(); // Destroy the buffer called in includes/header.php

	header ('Location: dashboard.php');

	exit();

	

// 2. Form completed - verify data

} elseif (isset($_POST['username']) && (isset($_POST['password']))) {

	$_SESSION['username'] = $_POST['username'];

	$_SESSION['password'] = $_POST['password'];

	$_SESSION['loggedin'] = time();

	return;

}



// 3. Form incomplete - show form

	?>

			<div class="grid_16">

				<p>Welcome to the FileMaker database online.  Please enter your username and password to gain access.  If you do not have a username and password, please see your systems administrator.</p>

			</div>

			<div class="grid_8">

				<form action='index.php' method="post">

					<label for="username">Username</label><input type="text" name="username" />



					<label for="password">Password</label><input type="password" name="password" />



					<input type="hidden" name="submitted" value="true" />

					<input type="submit" name="Login" value="Login" />

				</form>

			

			</div>

		</div>

		

<?php

	require ('includes/footer.html');

?>

header.php

<?php 

// turn on output buffering

	ob_start();

	include ('FileMaker.php');

	include ('includes/functions.php');



	$fm = db_connect();

?>



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"



etc.

functions.php

// DATABASE CONNECT

function db_connect() {

	if (isset($_SESSION['username'])) {

		$username = $_SESSION['username'];

		$password = $_SESSION['password'];

		

		$fm = new FileMaker('justice', '127.0.0.1', $username, $password);

		$result = $fm->listLayouts();



		if (FileMaker::isError($result)) {

			echo '<p>Error</p>';

			$_SESSION['authenticated'] = False;

		} else {

			echo '<p>No Error</p>';

			$_SESSION['authenticated'] = True;

		}

	}

}

I would greatly appreciate any help!

Thanks.

[Daniel Shanahan]

PS - not sure why the code markups didn't work. I can send files to anyone who is interested.

[Genx]

Um...

Too hard too follow. You basically want 3 things:

1) A login page (contains a username + password field and processes the login. If login successful, redirects user to first secure page... e.g. index.php).

2) A secure include (checks to see if the user has logged in. If they have, it also populates the $fm variable with a FileMaker object ready for your queries using the data the user previously provided ... If they haven't it redirects them to the login page.)

3) A logout page (destroys the user's session and sends them back to the login page.)

The following is extremely bare bones code:

1) The login page

login.php

<?php

//If the login form has been posted to the page, authenticate

if( isset($_POST['username']) ){

    $fm = new FileMaker('justice', '127.0.0.1', $_POST['username'], $_POST['password']);

	$result = $fm->listLayouts();



	if (FileMaker::isError($result)) 

		//Its probably worth checking for the actual error code here.. You don't want to be telling the user their password is incorrect if the database is just down...

		$error = "The username and password you supplied are invalid. Please enter a correct username and password and try again.";

	} else {

		session_start();

		$_SESSION['account'] = array();

		$_SESSION['account']['username'] = $_POST['username'];

		$_SESSION['account']['password'] = $_POST['password'];

		header("Location: index.php");

		exit();

	}

}

//If the user is redirected to the login page becuase they aren't authenticated or their session has expired...

if( isset($_GET['error']) ) {

	$error = $_GET['error'];

}

?>

<html>

<body>

<?php if( isset($error) ) echo "[color=red]{$error}[/color]<br/>"; ?>

<form action="login.php" method="post">

Username: <input type="text" name="username"/><br/>

Password: <input type="password" name="password"/><br/>

<input type="submit" value="Login"/>

</form>

</body>

</html>

2) A secure include - you include this at the top of your pages. If the session hasn't been set, it means the user was never authenticated. 

includes/secure.php

<?php 

session_start();

if( !isset($_SESSION['account']) ){

	header("Location: login.php?error=".urlencode("You must be authenticated to view this page."));

	exit();

}



//If the user is authenticated, create the fm object for use in your scripts.

$fm = new FileMaker('justice', '127.0.0.1', $_SESSION['account']['username'], $_SESSION['account']['password']);



?>

3) Your logout page... Destroys the session so taht any future session checks fail.

logout.php

<?php 

session_start();

unset($_SESSION['account']);

session_destroy();

header("Location: login.php");

4) Secure page:

index.php

<?php

require_once("includes/secure.php");

?>

<html>

<body>

You are logged in!! You will only see this page if you successfully logged in. If you aren't logged in, the included file will automatically redirect you to login.php and provide an error.

</body>

</html>

Hope that helps.

[Daniel Shanahan]

Too hard too follow.

Thanks, Genx. Sorry my original post was so convoluted. I wanted to create a function that connected to the database and have that as an include file. This is based on Lance Hallberg's videos. So, every page that needed to access the database would have db_connect(); rather than the full $fm = new FileMaker ('... .

I think my problem was that my index page and login page are one and the same. There seemed to be something cyclical about the way I had it set up - it was confusing to me!

I ended up not creating the function and putting $fm = FileMaker ('... on every page that accesses the database.

You basically want 3 things:

1) A login page (contains a username + password field and processes the login. If login successful, redirects user to first secure page... e.g. index.php).

2) A secure include (checks to see if the user has logged in. If they have, it also populates the $fm variable with a FileMaker object ready for your queries using the data the user previously provided ... If they haven't it redirects them to the login page.)

3) A logout page (destroys the user's session and sends them back to the login page.)

Thanks for listing these. I have a login/index page, a logout page, and a condition on all other pages that checks to see if a person is logged in. This seems similar to what you have, so it was validating to read.

Again, thanks for the help.

[Ocean West]

the issue with the php code markup should be resolved.

[scass]

Hi all

 

I hope it's OK to revive this old thread.

 

As a newcomer to the PHP API, I'm trying to authenticate web access using Filemaker privileges. I like the look of Genx's solution above, but can't get it to work for me.

 

When I copy the php exactly (substituting my database name for the placeholder), going to index.php results in a blank page with the url "/login.php?error=You+must+be+authenticated+to+view+this+page.". The page source is completely blank. Is this some problem with the "header" function, which is used in secure.php and login.php?

My php is rather limited and I'm not sure what the following line in secure.php is supposed to do:

    header("Location: login.php?error=".urlencode("You must be authenticated to view this page."));
 

My FMS + PHP API setup is working fine.

 

I'm a relative beginner as regards php/html. More than 20 years of experience with Filemaker though...

 

Has anyone used Genx's scripts above or something similar?

 

Thanks,

 

Steve

[doughemi]

The line you cite reloads your login.php page with an error message (if the session variable $_SESSION['account'] is not set).

 

Does the index.php file actually try to load (does the url in the location bar in your browser show index.php) or does it try to reload login.php?  A blank screen most often indicates a syntax error -- a missing semicolon or some such-- but you need to determine in which file. 

[scass]

Hi Doughemi

 

I don't think index.php tries to load. When I try to open index.php, the url immediately switches to "http://myserver/login.php?error=You+must+be+authenticated+to+view+this+page." and gets stuck there. The screen goes blank (I don't see the login form). I'm supposing that the error "You must be authenticated..." is supposed to load on the page, not in the url?

 

I copied the scripts posted above by Genx exactly. I don't have enough experience with php to be able to pick out any but the most obvious syntax errors.

 

Does that help at all?

 

Thanks,

 

Steve

[doughemi]

No, you can't open index.php manually; the authentication code at the top of the page (from genx's example) will immediately redirect you to login.php.

 

Note that the forum software has word-wrapped some of the long lines in the example login.php code.  As a basic rule of thumb, any line that does not begin with a // (comment) must end with a ";" , or in the case of an if statement, possibly a "{".

 

In other words,

 

//Its probably worth checking for the actual error code here.. You don't want to be telling the user their password is incorrect if the database is just down...

 

and

 

$error = "The username and password you supplied are invalid. Please enter a correct username and password and try again.";

 

should each be one long line.

[scass]

Doubhemi

 

Thanks for your patience. I think I get most of that; I believe my code is properly 'un-wrapped' so that the comments and others are all on one line...

 

My understanding was that index.php is a typical protected page. It is redirected to secure.php via the require_once, but my reading is that then I should pass to login.php. If not logged in, I should see the login page. Then, if all goes well, ultimately return to index.php with the welcome message.

 

If I try to load login.php directly, I also get a blank screen...

 

I guess it must be a php syntax problem... Still looking!

 

Steve

[scass]

Found a first syntax error, I think. Missing curly bracket at line 17 of login.php.

 

I now get the login form on the screen.

 

But the login routine still isn't working for me, so I suppose there are others.

 

I suppose no-one out there has actually implemented this code by Genx and got it working?

 

Tks,

 

Steve

[webko]

Genx usually writes fairly good code - I'll take a copy of the above and see if I can spot anything...

 

OK, there is a missing curly bracket on line 7:

	if (FileMaker::isError($result)) {

It should load the login page after that is changed.

[scass]

Thanks Webko and Doughemi for your help with this. I've now got it working.

 

The final problem was that Genx's scripts do not include a call to the Filemaker API. To make the scripts work, you need to add the following line to login.php  (can go after the comment on line 2) and secure.php (I put it immediately after the comment on line 8):

 

require_once('FileMaker/FileMaker.php');

 

You need to correct the path to FileMaker.php according to your setup.

 

It's taken me a few sessions to get this working, but meantime I've learned considerably more php than I knew at the beginning of the week.

 

Once again, thanks everyone for the pointers.

 

Steve
 

[RPaulH]

Hopefully someone is still seeing this old thread. First off I am not new to FM but totally new to php. I have created the four files that GENX posted and this is the output:

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /Users/phouck/Sites/EMS/login.php:2) in /Users/phouck/Sites/EMS/login.php on line 23

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /Users/phouck/Sites/EMS/login.php:2) in /Users/phouck/Sites/EMS/login.php on line 23

Warning: Cannot modify header information - headers already sent by (output started at /Users/phouck/Sites/EMS/login.php:2) in /Users/phouck/Sites/EMS/login.php on line 31

Line 23 is:    session_start();

Line 31 is:    header("Location: index.php");

What do I have wrong? I added the include for FileMaker.php and removed the extra bracket in the login.php file, line 38(?)

Any advice is appreciated.

[RPaulH]

Also, I assume the secure.php should be in a folder called "includes" due to the /, so I created the includes folder and save that file to it.

[webko]

The first three are there being some type of actual data being sent before the redirect - most commonly, white space or a return before the php starts.

I would bet (without being able to see your actual code) that there is something like:

{?php
  //A redirect
?}

Note the two returns before the php starts - that will cause the issue described above

HTH

Webko

[RPaulH]

Webko, thanks for the reply! You Aussies are always great on the forums. Since my post I have fixed multiple file/directory location issues and everything seems good in that area but when I run index.php it come up with a blank screen. Running that should give me a login page, right? Maybe I'm misunderstanding how this works, still trying to digest the php.

[RPaulH]

Ok, a little thick but getting there. The login.php should be the login page, duh, but when I open it I end up on index.php. 

[webko]

Usually indicates that there has been an error of some sort that prevents the page from rendering correctly -try adding these lines at the top to get an error message:

<?php
ini_set('display_errors',1);
error_reporting(-1);
?>

 

[RPaulH]

More running dialog: found the problem and can enter into the login.php page with User/PW and it goes to a blank index.php. Still missing something but I'm through for the day. Any insight is appreciated.

[RPaulH]

Awesome, it's working and your code helped in that when I went to open index.php to add it, I realized that I had saved the file with "index" capitalized. With that fixed I'm logged, thanks again for the help. I'm sure I will need more but that's another post. Caio