PHP - Ldap Authentication Question

Hi guys,
I have this problem and id appreciate all your advice in helping solve it.

I'm working on a service with is "cloud" hosted.
However I want it so when a person employed by Corporation A logs onto myservice.corporationa.com they enter their Corporation A LDAP details but somehow that sends them to myservice.com and authenticates them. I know how to do the get LDAP details part to put on myservice.corporationa.com but no idea how to do the rest and make it send back etc.

Any ideas?

Many many thanks in advance.

(PS - If this all makes sense please do let me know)

Hello everyone,

I'm new to PHP and I have a question about a PHP Login page using LDAP.

I have received a project from my boss. A project to digitizing a form. Well having that part done, my boss said to make login page that uses LDAP.

A page that using the username and password from the AD to login and redirected to a different page. So that the person doesn't have to remember different usernames and passwords.

Is there a simple script, doing this?

Kind regards,

Rinse Ringma

( Don't mind my bad English )

I am having trouble using ldap_start_tls().

I am using the same code I have seen in a dozen different forums:

$ds = ldap_connect($ldap['host'],$ldap['port']); 
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_start_tls($ds);
ldap_bind($ds,$ldap['user'],$ldap['pass'])
ldap_close($ds);

but I still receive the same error message: Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error

The LDAP authentication had been working fine without the ldap_start_tls.

I feel like I must have missed something big - is ldap_start_tls() dependent on having a local certificate? is OpenSSL a pre-requisite? I've seen lots of discussions turn towards OpenLDAP, but I had assumed this was only on the target server. Can anyone confirm that?

Any help would greatly appreciated.
Darren

Hi,
I'm working with the LDAP directory, and using PHP to access it.

I am able to extract the name, departments and phone nos. from the directory.

On the display page, i am looking to make the name column sort A-Z. (Like the "name" will be clickable and will sort the names from A-Z and Z-A )

Would appreciate if someone could suggest approaches to achieve this using PHP

Thanks

Hi I am finding that I get a random LDAP search fail the initial time i run a script against 2008R2 when I refresh all is ok ? PHP 5.2.5 get the same thing with the latest version of PHP. any ideas ? its as if the DC is sleeping until you give it a nudge, running on 2008R2 running on vmware.

Hi Everyone,

Hopefully someone will be able to assist with my problem. Basically, my situation is that we have a server which hosts multiple websites using multiple IP address. One of the new sites we are moving to this server needs an LDAP connection outside of our network. The outside LDAP has already been enabled to accept requests from the specific IP assigned to this site. However, other sites on this server are using other IP addresses.

It seems as if the LDAP authentication request is getting sent by a IP address which is not authorized by the firewall on the outside LDAP server. Thus trouble authenticating.

So, my question is, is there a way to force the ldap_bind request to use a specific IP address to send the request for authentication? Supposedly this can be done using an event handler. However, I don't have much experience with event handlers so am not sure how to go about doing this.

I would appreciate any help or ideas to resolve this situation. Thanks!

- Jodie

Hi,
I am trying to search the employeeid value taken from an mssql db against a LDAP database.
It works but when it cannot found the employeeid on the LDAP db it stops with this error:

Catchable fatal error: Object of class variant could not be converted to string in ldap2.php on line 101

Here is the code.
i've tried with ->value without success .

Please help me.

do {
$sql = "SELECT EMPL.MATR
FROM DOS
ORDER BY DOS.MATR";
 
$result = mssql_query($sql);
while ($myrow = mssql_fetch_array($result))
{

$matr = $myrow['MATR'];
$matr = intval($matr);

//echo $matr;

$strRS = "Select givenname,sn,displayName,mail,SAMAccountName,employeeid,cn from 'LDAP://dom.local/DC=dom,DC=local' where objectClass='user' and employeeid='$matr'";

$RS->Open($strRS, $Conn, 1, 1);
echo $RS['cn'];
echo "<br>";

$RS->Close;

}

$item++; // iterate count through ldapresults

}
while ($item < $Result['count']);
echo '<hr />';
$Conn->Close;

I am new to PHP. I have been trying to do some research online for a few days and not getting very far. I feel like I know less now than I did before I started.

Here's the story:

I've set up a LAMP server that runs a Wiki and AppGini (http://www.bigprof.com/appgini/) - AppGini allows you to "Create web database applications instantly without writing any code" - The only downside we have with it, is it's got it's own set of user accounts. My team all logs in with the default admin account which isn't a big deal but we'd prefer to use LDAP to AD for reasons I won't get into right now.

I emailed AppGini support and asked about LDAP integration. Their response was that it's "a little bit of work" and "You can modify the login authentication function to authenticate using LDAP ... please see the example code he http://code.activestate.com/recipes/101525-ldap-authentication/ (needs some modifications to work with AppGini)"

I've googled around and found 2 dozen different LDAP PHP samples. I've gotten some of them to work. By work I mean they connect to my domain controller and say "success" I'm not actually logged into anything.

So I'm looking for a little help from square one. I need to have a better understanding of how things are supposed to work so I know where I'm supposed to go with all of this. Where do I start? What do I do? What would YOU do?


This is the current "index.php" that logs you into the site.
Code: [Select]
<?php

error_reporting(E_ALL ^ E_NOTICE);
$d=dirname(__FILE__);
include("$d/defaultLang.php");
include("$d/language.php");
include("$d/incCommon.php");
$x->TableTitle=$Translation['homepage'];
include("$d/header.php");

if($_GET['signOut']==1){
logOutMember();
}

$tablesPerRow=2;
$arrTables=getTableList();

?>
<div align="center"><table cellpadding="8">
<?php if($_GET['loginFailed']==1 || $_GET['signIn']==1){ ?>
<tr><td colspan="2" align="center">
<?php if($_GET['loginFailed']){ ?>
<div class="Error"><?php echo $Translation['login failed']; ?></div>
<?php } ?>
<form method="post" action="index.php">
<table border="0" cellspacing="1" cellpadding="4" align="center">
<tr>
<td colspan="2" class="TableHeader">
<div class="TableTitle"><?php echo $Translation['sign in here']; ?></div>
</td>
</tr>
<tr>
<td align="right" class="TableHeader">
<?php echo $Translation['username']; ?>
</td>
<td align="left" class="TableBody">
<input type="text" name="username" value="" size="20" class="TextBox">
</td>
</tr>
<tr>
<td align="right" class="TableHeader">
<?php echo $Translation['password']; ?>
</td>
<td align="left" class="TableBody">
<input type="password" name="password" value="" size="20"class="TextBox">
</td>
</tr>
<tr>
<td colspan="2" align="right" class="TableHeader">
<span style="margin: 0 20px;"><input type="checkbox" name="rememberMe" id="rememberMe" value="1"> <label for="rememberMe"><?php echo $Translation['remember me']; ?></label></span>
<input type="submit" name="signIn" value="<?php echo $Translation['sign in']; ?>">
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['go to signup']; ?>
<br /><br />
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['forgot password']; ?>
<br /><br />
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['browse as guest']; ?>
<br /><br />
</td>
</tr>
</table>
</form>
<script>document.getElementsByName('username')[0].focus();</script>
</td></tr>
<?php } ?>
<?php
if(!$_GET['signIn'] && !$_GET['loginFailed']){
if(is_array($arrTables)){
if(getLoggedAdmin()){
?><tr><td colspan="<?php echo ($tablesPerRow*3-1); ?>" class="TableTitle" style="text-align: center;"><a href="admin/"><img src=table.gif border=0 align="top"></a> <a href="admin/" class="TableTitle" style="color: red;"><?php echo $Translation['admin area']; ?></a><br /><br /></td></tr><?php
}
$i=0;
foreach($arrTables as $tn=>$tc){
$tChk=array_search($tn, array());
if($tChk!==false && $tChk!==null){
$searchFirst='?Filter_x=1';
}else{
$searchFirst='';
}
if(!$i % $tablesPerRow){ echo '<tr>'; }
?><td valign="top"><a href=<?php echo $tn; ?>_view.php<?php echo $searchFirst; ?>><img src=<?php echo $tc[2];?> border=0></a></td><td valign="top" align="left"><a href=<?php echo $tn; ?>_view.php<?php echo $searchFirst; ?> class="TableTitle"><?php echo $tc[0]; ?></a><br /><?php echo $tc[1]; ?></td><?php
if($i % $tablesPerRow == ($tablesPerRow - 1)){ echo '</tr>'; }else{ echo '<td width="50">&nbsp;</td>'; }
$i++;
}
}else{
?><tr><td><div class="Error"><?php echo $Translation['no table access']; ?><script language="javaScript">setInterval("window.location='index.php?signOut=1'", 2000);</script></div></td></tr><?php
}
}
?>

</table><br /><br /><div class="TableFooter"><b><a href=http://bigprof.com/appgini/>BigProf Software</a> - <?php echo $Translation['powered by']; ?> AppGini 4.61</b></div>

</div>
</html>

I am currently doing the following but wish to change to using JWTs.

A webserver is running some CRM system which has its own authentication system and browsers can access public routes without logging and but must log on first to access private routes. All the routes on the webserver which are prefixed by "api" will be forwarded to specific REST API along with an "account" GUID in the header and the user's ID if it exists. For the routes that require a user to be logged in, the webserver will first check if a session exists, and if not make a preliminary GET request to the REST API which includes the GUID as well as the user's ID and encrypted password (both based on the webserver's CRM DB) in the URL.  Not sure whether anything is possible by including the hashed password and am currently not doing anything with it.  The REST API queries the DB using the GUID and webserver's user ID and returns the REST API's users ID and the webserver stores it in a session. The REST API receives the GUID and potentially the REST API's user ID and queries the DB to retrieve the account and potentially user before executing the route, and returns the response to the webserver which it returns it to the browser.

The new approach might be something like the following:

Before the webserver forwards any request to the REST API, it checks if a session is set, and if not performs a GET request to the REST API along with the GUID and if known user's credentials in the URL and receives a JWT which contains a payload including the account PK, and potentially the user PK, user's access level, etc. All future requests include this JWT in the header. The REST API no longer queries the DB to get the account ID and user authorized settings as it is provided in the JWT.

A couple of questions:

What should be done if a non-logged on user first accesses a public route, gets a JWT, and stores it in a session, but then later logs on and accesses a private route?  The webserver thinks it has a valid JWT and will send it but the REST API will then decrypt it and find there is no user it.  One option is for the webserver to use two sessions, but this sounds kludgy.  Or maybe the REST API returns some header which instructs the webserver to re-authenticate, but not sure if even an option, and if so how to cleanly prevent some loop.  Also, would it be necessary to issue a new JWT or can the payload in a JWT be changed? Is GET appropriate for requesting the JWT's or should I use some other method? Is it appropriate to include the user's access level in the JWT payload?  Will one need to wait until the JWT has expired before their access level changes? Any ideas how to deal with using the user's password on the CRM to also authenticate on the REST API?  The GUID is probably secret enough for the application and if an issue, can just use the GUID and username. Am I going down an reasonable path and anything else obvious I should be considering?

Thanks!

Hi all,

I have an authentication part on my website that checks every page through a session variable if a user is logged in and which user it is.
When I test my code on my computer it works perfectly registration and login goes smooth but when someone on another computer tries it they get the acces denied page.... does anyone know why???

Greets Ryflex

Okay, at the moment, when a user logs into my website a token is created. The token is made from a random code, their name and their email. This token is then stored next to their name in the DB.

If the user chooses to be remembered, the token is stored as a cookie, otherwise it's stored as a session var.

Every time a page is loaded, a comparison is made between the DB token and the session/cookie token to authenticate.

HOWEVER, this does not work if the user decides to login from different locations/ip addresses. How would I go about allowing this? Could I created a table and then store the IP address and the token for that IP address?

Hello all,

I am extremely new with php, I just started learning it this week. I am tryin to make a secure login page that uses cookies for authentication. The problem I am having is that I cannot seem to get it to detect or read the set cookie properly. I want it to detect if its the correct username in the cookie and if so, allow to see the page, and if now, then return to the login screen.

The login screen is login.html, which directs the person to the php script login.php. That should in turn show them a message page and some short info, as well as a link to their control panel (index.php) . The problem is that even if i skip the login I can still reach the control panel (index.php) with or without the cookie.

Here is my code (please be gentle this is my first week with php):

login.html:
Code: [Select]
<html>
<head>
<Title>Admin Login</Title>
</head>
<body>
<center>
<br>
<br>
<br>
<br>
<img src="pk.png">
<form action="login.php" method="post">
<br>
Username: <input type="text" name="username" /><br>
Password:  <input type="text" name="password" /><br>
<input type="submit" value="Login" />
</form>
</center>





</body>
</html>
login.php:
Code: [Select]
<?php

// Print a cookie
//echo $_COOKIE["auth"];

// A way to view all cookies
//print_r($_COOKIE);

//global $verified;

$verified=NULL;
global $cookie;
$cookie=$HTTP_COOKIE_VARS['auth'];

if($_COOKIE["auth"] = "Verified_Power" )
{
echo "You have been verified as PowerHouse. <br><br>";
$verified="TRUE";
}
else if($_COOKIE["auth"] = "Verified_Thor")
{
echo "it's actually thor!<br><br>";
$verified="FALSE";
}
else
{
echo "Bad Chookie";
$verified="FALSE";
exit();
}


?>
<html>
<head>

<Title>Login Info</Title>
</head>
<body>
<center>
<img src="pk.png">
<br>
<br>
<br>
Hello <?php echo($username); ?>!<br />


<?php //header("Cache-Control:no-cache");






$msgfile = "messages.txt";
$msgf = fopen( $msgfile, "r");
$msgsize = filesize( $msgfile );
if( $msgsize <= 0)
{
$msg=NULL;
}
else
{
$msg = fread( $msgf, $msgsize);
fclose($msgf);
}



If( $username == "PowerHouse" )
{
If( $password == "test")
{
//read logon file
$powerlogfile="Admin_Checkin/logs/powerlogon.txt";
$logfile = fopen( $powerlogfile, "r");
$logfilesize = filesize ( $powerlogfile );
$logcountpower = fread( $logfile, $logfilesize );
$logcountpower++;
fclose($logfile);
//open file for writing
$logfile = fopen($powerlogfile, "w");
fwrite( $logfile, $logcountpower);

fclose($logfile);
echo("You are logged in. <br><br>");
echo("It is you master! <br><br>");
if( $msg == NULL )
{
echo("No New Messages<br><br><br>");
}
else
{
echo("You have a message: <br>");
echo "$msg <br><br><br>";
}

echo "Click <a href='" . "/Admin_Checkin/14795" . "'>Here</a> To access your control panel.<br><br><br>";  
echo "You have logged in $logcountpower times.";

//open logfile to write to 
$logfile=fopen("Admin_Checkin/logs/powerlog.html", "a");
//write the time of access
$time=date("H:i:s: dS F");
fwrite($logfile, "<b>Time of access:</b> $time<br>");
//write users ip
if( $REMOTE_ADDR != NULL )
{
fwrite($logfile, "<b>IP Address:</b> $REMOTE_ADDR <br>");
}
//write users forwarding url
if( $HTTP_REFERER != NULL)
{
fwrite($logfile, "<b>Referer:</b> $HTTP_REFERER <br>");
}
//write users browser info
fwrite($logfile, "<b>Browser Info:</b> $HTTP_USER_AGENT <hr><br>");

setcookie("auth","Verified_Power", time()+3600);
//header("Location:login.php"); exit();

//setcookie('login', $_REQUEST['username'].','.md5($_REQUEST['username'].$secret_word));




}
else if( $password != "test" )
{
$pwfail++;
echo("<hr>You have entered the wrong password, PowerHouse. <br>");
}
}
else if($username == "ThorSummoner")
{
If( $password == "test")
{
//read logon file
$thorlogfile="Admin_Checkin/logs/thorlogon.txt";
$logfile = fopen( $thorlogfile, "r");
$logfilesize = filesize ( $thorlogfile );
$logcountthor = fread( $logfile, $logfilesize );
$logcountthor++;
fclose($logfile);
//open file for writing
$logfile = fopen($thorlogfile, "w");
fwrite( $logfile, $logcountthor);

fclose($logfile);
echo("You are logged in. <br><br>");
echo("This is the Admin Portal Welcome Screen. <br><br>");
if( $logcountthor == 1)
{
echo "This is your first visit, yay! <br><br>";
}
//echo "$msg <br> <br>";

if( $msg == NULL )
{
echo("No New Messages<br><br><br>");

}
else
{
echo("You have a message: <br>");
echo "$msg <br><br><br>";
}

echo "Click <a href='" . "/Admin_Checkin/atfg4gc" . "'>Here</a> To access your control panel.<br><br><br>";  
echo "You have logged in $logcountthor times.";

//open logfile to write to 
$logfile=fopen("Admin_Checkin/logs/thorlog.html", "a");
//write the time of access
$time=date("H:i:s: dS F");
fwrite($logfile, "<b>Time of access:</b> $time<br>");
//write users ip
if( $REMOTE_ADDR != NULL )
{
fwrite($logfile, "<b>IP Address:</b> $REMOTE_ADDR <br>");
}
//write users forwarding url
if( $HTTP_REFERER != NULL)
{
fwrite($logfile, "<b>Referer:</b> $HTTP_REFERER <br>");
}
//write users browser info
fwrite($logfile, "<b>Browser Info:</b> $HTTP_USER_AGENT <hr><br>");

setcookie("auth","Verified_Thor", time()+3600);

}
else if( $password != "test" )
{
$pwfail++;
echo("You have entered the wrong password, ThorSummoner. <br>");
}

}
else if($username !== "PowerHouse" && $username !=="ThorSummoner")
{
echo("Who are you?");
}




?>
</center>
</body>
</html>

index.php
Code: [Select]
<?php


global $verified;
echo ($verified);

If( $verified == "TRUE" )
{
echo "You are verified";
}
else if( $verified != "TRUE" )
{
echo "You should not be here";
}
else if( $verified = NULL )
{
echo "Nulled out";
}
$cookie=$HTTP_COOKIE_VARS['auth'];

If( $cookie != "Verified_Power")
{
echo "No Cookie, or not correct cookie";
}

// A way to view all cookies
//print_r($_COOKIE);


?>
<html>
<head>
<Title>Power's Control Panel
</Title>
</head>
<body>
This is my control panel <BR>

test<br>
</body>
</html>
Any help would be greatly appreciated! Remember I am new so I am sure my code is poorly written. Please be polite.

Here I have three different pages. The first can be logged on as admin and you can choose to add entry and visit visitor log. (Do not use MySQL or other databases). All items and visitor log saved to file.
I am using sessions and what I have problem with is a password-protected administration section. (Authentication)
What I'm trying to make is that visitors will be able to see the items, but only admin can log in and only the admin should be able to add entries and visit visitor log.

what should I do?



index.php (where I log in with username: admin and pw:123)
<?php
session_start();

if(isset($_POST['LoutBtn']))
{
session_destroy();
}

if(isset($_POST['LoginBtn']))
{


//convert a string to all lower case letters.
//if user gives username with big letters still can login.
$user = strtolower($_POST['username']);
$pass = $_POST['password'];

if($user == 'admin' && $pass == '123')
{

$_SESSION['LogedIn'] = true;
print('Welcome admin');

?>

<table width="50"  align="right"  cellpadding="2" cellspacing="2">

<form method="POST" action="panel.php">
<tr>

<td><input type="submit" value="add post" name="PnlBtn" /></td>
</tr>
</form>

<form method="POST" action="stat.php">
<tr>

<td><input type="submit" name="showstat" value="visitorlog" /></td>
</tr>
</form>

</table>



<?php
     
}
elseif (empty($user) || empty($pass))
         
      
      {
  print('<font color="#FF0000">Please fill in username and password!<br/></font>');
    
      
      }
  
elseif ($_POST['username'] != 'admin'){
      
     
      print('<font color="#FF0000">wrong username<br/></font>');
    
      
      }
      
      elseif ($_POST['password'] != '123'){
      
   
      print('<font color="#FF0000">wrong password<br/></font>');

//elseif {

// print('<font color="#FF0000">The User Name And/Or Password is incorrect!
//  Please try again...<br/></font>');

//print('<a href="index.php">Back</a>');
}

  }

?>


<?PHP
/* define the blog content file name */
$filename = "myBlogContent.txt";
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>

<form method="post" action="index.php">

<table width="300" border="1" align="right" cellpadding="2" cellspacing="2">
<tr>
<td width="150">UserName:</td>
<td> <input type="text" name="username" size="20" />
</td>
</tr>
<tr>
<td width="150">Password</td>
<td><input type="password" name="password" size="20" /></td>
</tr>
<tr>
<td><input type="submit" value="Login" name="LoginBtn" />
</td>
</tr>
<tr>
<td><input type="submit" value="Logout" name="LoutBtn" /></td>
</tr>
</table>
</form>

<!-- CONTENT DIV -->
<div style="position:absolute; left: 100px; top: 100px; width: 400px;">

<?PHP

/* check to see if the file exists */
if (!file_exists($filename)) {

echo "The Blog Is Empty";

}else{

/* get the file lines into an array */

$BlogArray = file($filename);

/* count the number of blog entries */

$count = count($BlogArray);

$i=0;

while($i<$count) {

$new_array = explode("|", $BlogArray[$i]);

echo "Posted by: " . $new_array[1] . "<br>";

echo "Posted on: " .  date("m/d/y h:iA", time($new_array[0])) . "<br>";

echo 

"Title: " . $new_array[2] . "<br>";


echo $new_array[3] . "<hr>";


$i ++;


}
}
?>
</div>
</body>
</html>



panel.php (where I can add new items)

<?php
session_start();
   


//if(isset($_POST['LoutBtn'])){

//header ('Location: index.php');
//}

//print('<h1>Welcome admin</h1>');





?>





<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>



<form  action="content.php" method="post">
<table>


<tr><td>Blog entry posted by (Your name): </td><td><input type="text" name="who" size="20" maxlength="20" value=""></td></tr>

<tr><td>Title of this blog entry: </td><td><input type="text" name="title" size="40" maxlength="80" value=""></td></tr>


<tr><td>Content: </td><td><textarea name="content" rows="5" cols="40"></textarea></td></tr>


<tr><td clospan="2"><input type="submit" value="Submit"></td></tr>

<tr><td clospan="2"><input type="submit" name="showstat" value="visitorlog" /></td></tr>

<tr><td clospan="2"><input type="submit" value="Logout" name="LoutBtn" /></td></tr>
</table>







</form>
<a href="index.php">View</a><br>


</body>
</html>





content.php (Location: panel.php)


<?PHP
/* obtain the form data */
$who = $_POST['who'];
$title = $_POST['title'];
$content = $_POST['content'];
$content = str_replace(array("\r\n", "\r", "\n"), "<br>", $content); 

/* create timestamp variable for current date and time */
$when_ts = time(); 

/* define the blog content file name */
$filename = "myBlogContent.txt";

/* prepare the variables for adding to the file */

$new_line_content = $when_ts . "|" . $who . "|" . $title . "|" . $content . "\n";

/* open the file in the APPEND MODE */
$fh = fopen($filename, 'a+') or die("can't open file");

/* add the new content */
fwrite($fh, $new_line_content); 

/* close the file */
fclose($fh); 

 header("Location: panel.php");
//exit; // Closes further script execution . 
?>


stat.php (visitorlog)


<?php
 session_start();


if(isset($_POST['home'])){

?>
<p> <input type="submit" name="home" value="Hem" /></p>
 <?php
}
?>
        

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
   
  <form action="index.php" method="post">
<p> <input type="submit" name="home" value="Hem" /></p>
</form>


<?php
 
$ipaddress = $_SERVER['REMOTE_ADDR'];
$page = "http://{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}"; 
$referrer = $_SERVER['HTTP_REFERER'];
$datetime = mktime();
$useragent = $_SERVER['HTTP_USER_AGENT'];
$remotehost = @getHostByAddr($ipaddress);



?>

<?php
// Create log line
// Create log line
$logline = $ipaddress . '|' . $referrer . '|' . $datetime . '|' . $useragent . '|' . $remotehost . '|' . $page . "\n"; 
// Write to log file:
$logfile = 'logfile.txt';

// Open the log file in "Append" mode
if (!$handle = fopen($logfile, 'a+')) {
    die("Failed to open log file");
}

// Write $logline to our logfile.
if (fwrite($handle, $logline) === FALSE) {
    die("Failed to write to log file");
}
  
fclose($handle);  

?>
    <?php
// Open log file
$logfile = "logfile.txt";

if (file_exists($logfile)) {
    
    $handle = fopen($logfile, "r");
    $log = fread($handle, filesize($logfile));
    fclose($handle);
} else {
    die ("The log file doesn't exist!");
} 
// Seperate each logline
$log = explode("\n", trim($log)); 
// Seperate each part in each logline
for ($i = 0; $i < count($log); $i++) {
    $log[$i] = trim($log[$i]);
    $log[$i] = explode('|', $log[$i]);
} 

echo count($log) . " people have visited this website.". "<br>" . "<br>";  


?>
    
    <?php
// Show a table of the logfile

//echo 'IP Address'. "<br>" . "<br>";
//echo 'Referrer'. "<br>" . "<br>";
//echo 'Date'. "<br>" . "<br>";
//echo 'Useragent'. "<br>" . "<br>";
//echo 'Remote Host'. "<br>" . "<br>";

foreach ($log as $logline) {

    echo '' . $logline['0'] . "<br>" . "<br>";
    echo '' . urldecode($logline['1']) . "<br>" . "<br>";
    echo '' . date('d/m/Y H:i:s', $logline['2']) . "<br>" . "<br>";
    echo '' . $logline['3'] . "<br>" . "<br>";
    echo '' . $logline['4'] . "<br>" . "<br>";



}


?>

</body>
</html>

Pardon my noobness, but I'm learning to wrap AJAX into my work and use it to get XML instead of "static" PHP that generates the HTML.  The login/security portion has my head spinning, but it's probably not as difficult as I think and I'm probably just confusing myself. 

In the past, for each PHP page in my site, I would perform a quick salted login check based on the username/password stored in the $_SESSION variables.  Perhaps it was a bit overboard to check on each page, but, well, I did it.

With AJAX, I *NEED* to ensure that the php resulting from an AJAX POST request won't run if the user isn't authenticated, and I need to ensure that they didn't just somehow force a $_SESSION variable to reflect an authenticated session.  I also need to ensure that someone can't just load up the PHP page on it's own, somehow send a POST to it and run it without being authenticated. 

I suppose that beyond the larger picture of "How do I ensure that the user is authenticated, the POST request is authentic, and nobody has forced a change in the $_SESSION stored on the server, I have a few specific questions. 

I know that in part I'm confused about the whole cookie/SESSION process.  In my old PHP site, the SESSION number was stored on the cookie on the user's machine.  If the info is sent via AJAX, does the PHP get the SESSION info from the cookie or does it have to be explicitly sent?  With potentially several users sending AJAX requests at the same time, how will my PHP know which SESSION to use for each request?

Is is secure enough to set an "Autheticated" flag in $_SESSION once the user is authenticated the first time?   Is it really just as simple as sending a username/salted password hash as AJAX/POST and setting an authenticated flag in the SESSION to ensure that the rest of the AJAX application runs without allowing someone to back-door the PHP?