Re^17: global var

Test Program Error Log


Can' find the log Padre file
[download]

Real Program Error log:

found:/home/jalamior/www/httpsdocs/cgi-bin/lib/perl/manageusers.pm at update_tables-development.cgi line 41. Tue Apr 11 11:26:22 2017 update_tables-development.cgi: found:/home/jalamior/www/httpsdocs/cgi-bin/lib/perl/manageusers.pm at update_tables-development.cgi line 41. Can't opendir /usr/local/apache/lib/perl: No such file or directory at update_tables-development.cgi line 38. Tue Apr 11 11:26:22 2017 update_tables-development.cgi: Can't opendir /usr/local/apache/lib/perl: No such file or directory at update_tables-development.cgi line 38.

Line 30 use manageusers qw($LoggedOn_user_id);

{
use strict; use warnings; 
my %wanted; 
$wanted{manageusers}=1; 

for my $inc (@INC) { 
  opendir (my $dh,$inc) || warn "Can't opendir $inc: $!";
  while (my $file=readdir $dh) {
    if ($file=~m/(.*)[.]pm$/) { 
      if ($wanted{$1}) { warn 'found:'.$inc.'/'.$file; } 
      }
    } 
  closedir $dh;
  }
}
[download]

You say: and saying And later I populate the variable with the desired data is easy, proving it is not as easy. So cut and paste ALL of manageusers::OpenConnection() and ALL of every subroutine it calls to prove that you do set $manageusers::LoggedOn_user_id properly every time and dont set it back to zero somewhere else.

I don't understand the question. Search all fdiles on manageusers::OpenConnection(); yields 10 hits.

        manageusers::OpenConnection();
           manageusers::OpenConnection();
        manageusers::OpenConnection();
                manageusers::OpenConnection();
          manageusers::OpenConnection();
           manageusers::OpenConnection();
                manageusers::OpenConnection();
manageusers::OpenConnection();
manageusers::OpenConnection();
  manageusers::OpenConnection();
[download]

They all call the same function

#---------------------------------------------------------------------
+----------
#  Database Conection Functions
#---------------------------------------------------------------------
+----------
# FUNCTION:  OpenConnection()
# DESCRIPTION: Connect to the MySQL database
#---------------------------------------------------------------------
+----------
sub OpenConnection
{
    my $localtimenow = localtime(Now());
    $dbh = DBI->connect($dsn,$sql_username,$sql_password)
        or ErrorMessage("Could not connect to the database.");

    warn("Open Connection-JustBefore returning database handle: '$dbh'
+ Current Time: '$localtimenow'");
   return $dbh;
}
[download]

You say: prove that you do set $manageusers::LoggedOn_user_id properly every time and dont set it back to zero somewhere else

It is oly populated at two places. For a new logged on user it gets the id from the session table. For an already logged on user (cookie expires 7 days) it get the ID from the session table based on the SID lookup.

New login
warn("Hash evaluation succeded - $passhash = $passhash1 : $sessiondata
+2 = $sessiondata2md5p");
       my $timein = time();
       $session->param('user_id',$uid);
       $session->param('username',$username);
       $session->param('forename', $forename);
       $session->param('lastname', $lastname);
       $session->param('timein', $timein);
       $session->param('timeout', 0);
       $session->param('attempts',0);
       $session->param('isloggedin',1);
       $session->expires('+7d');
       $LoggedOn_user_id = $uid;  #$session->param("user_id");
[download]

Already logged on
  if ($status == 1) {
    warn("Process Login returning after confirmed already logged in: s
+tatus: '$status' sessionname:  '$sessionname' SID:  '$sid'");
    
    my $username1 = $session->param("user_id");
    warn("username1 : '$username1'");
    $LoggedOn_user_id = $username1;  
    warn("Already logged on LoggedOn_user_id : '$LoggedOn_user_id'");
[download]

Comment on Re^17: global var Select or Download Code

Replies are listed 'Best First'.
Re^18: global var by huck (Prior) on Apr 11, 2017 at 18:33 UTC
are those log messages from both the one that was failing and the one that worked? its hard to tell IF the only thing you call in the working example is manageusers::OpenConnection() then why you you expect $manageusers::LoggedOn_user_id to be anything but zero? So You have yet to prove that you are actually setting $manageusers::LoggedOn_user_id by code that is being run anywhere. Show us all of the subroutines that contain the following code and any subroutines they call New login warn("Hash evaluation succeded - $passhash = $passhash1 : $sessiondata +2 = $sessiondata2md5p"); my $timein = time(); $session->param('user_id',$uid); $session->param('username',$username); $session->param('forename', $forename); $session->param('lastname', $lastname); $session->param('timein', $timein); $session->param('timeout', 0); $session->param('attempts',0); $session->param('isloggedin',1); $session->expires('+7d'); $LoggedOn_user_id = $uid; #$session->param("user_id"); [download] Already logged on if ($status == 1) { warn("Process Login returning after confirmed already logged in: s +tatus: '$status' sessionname: '$sessionname' SID: '$sid'"); my $username1 = $session->param("user_id"); warn("username1 : '$username1'"); $LoggedOn_user_id = $username1; warn("Already logged on LoggedOn_user_id : '$LoggedOn_user_id'"); [download] In particular where $uid gets set before you run `$LoggedOn_user_id = $uid;`. and i can become any user i want to be by manipulating the user_id parm i send back to you, that doesnt seem very secure does it? It is easy to create code that sends back any value i want in the user_id field	[reply] [d/l] [select]
Re^19: global var by tultalk (Monk) on Apr 11, 2017 at 20:14 UTC
are those log messages from both the one that was failing and the one that worked? its hard to tell. The one that failed. No log from the one that worked . Ran in Padre and can't find log. "You have yet to prove that you are actually setting $manageusers::LoggedOn_user_id by code that is being run anywhere." The rwo code blocks above do exactly that. Entire code at end Filled with comments You say: In particular where $uid gets set before you run $LoggedOn_user_id = $uid; . $uid is popuated earlier in processing a new logon. "and i can become any user i want to be by manipulating the user_id parm i send back to you, that doesn't seem very secure does it? It is easy to create code that sends back any value i want in the user_id field" That makes no sense to me. When a legitimate user tries to log in, the username and password are encrypted and sent back for comparison to the username/password from the database as encrypted by the same algorithm on the server. #--------------------------------------------------------------------- +---------- # FUNCTION: ProcessLogonRequest($query) # DESCRIPTION: Client requests log in: create session and send encrypt +ion data #--------------------------------------------------------------------- +---------- sub ProcessLoginRequest { my ($query) = @_; my $status = 0; # $sessionname = 'CGISESSID'; # my %cookies = CGI::Cookie->fetch; # my $sid = $cookies{$sessionname}->value; my $sid = GetUserSessionCookie(); warn("ProcessLoginRequest Query: '$query'"); warn("ProcessLoginRequest SID from cookie: '$sid'"); #Check if it got valid return from fetch cookie if ($sid ne 0){ $status = 1; } #Or, check if valid return from cgi query elsif($query){ # if (exists $query{$sessionname}){ $sid = $query->param($sessionname); if ($sid){ warn("ProcessLogin Request SID from Query: '$sid'"); $status = 1; } else{ $sid = undef; $status = 2; } } else { #Set up for creating a new session $sid = undef; $status = 2; } # $sid = '7032f2c7f5a2c721a483dc75fc29595e'; $session = new CGI::Session("driver:MySQL", $sid, {Handle=>$dbh}); warn("session = '$session'"); OpenSession($dbh,$sid); $session->param("#<expires>#",0); $session->param("isloggedin",0); $session->flush(); $sid = $session->id(); warn("ProcessLogin Request SID from from session create: '$sid'"); my $sessiondata1 = $sid; #id created by CGI::Session; if ($status == 1) { warn("Process Login returning after confirmed already logged in: s +tatus: '$status' sessionname: '$sessionname' SID: '$sid'"); my $username1 = $session->param("user_id"); warn("username1 : '$username1'"); #my ($digits) = $text =~ /(\d+)/; #my ($user_id) = $username1 =~ /(\d+)/; #my $text = $username1; #$text =~ m/(\d+)/; #my $num = $1; #warn("num: '$num'"); #$username1 =~ m/(\d+)/; $LoggedOn_user_id = $username1; warn("Already logged on LoggedOn_user_id : '$LoggedOn_user_id'"); + #$LoggedOn_user_id = 428; $adminaccess = ($username1 eq "admin"); warn("username1: '$username1'"); warn("adminaccess: '$adminaccess'"); $session->param("isloggedin",1); $session->param('timein', time()); $session->flush(); return (1, "Your previous session is still valid. You are now logg +ed in.", $sid, 0); } warn("Process Login after verify not logged in and new session: stat +us: '$status' sessionname: '$sessionname' SID: '$sid'"); #Random hash for encoding password my $seed_number = CreateRandomSequence(10, 1); my $seed_string = CreateRandomSequence(10, 0); my $sessiondata2 = md5_hex($ipaddress . $seed_number . $seed_string) +; $session->param('sessiondata2',$sessiondata2); $session->expires('+7d'); # Expires($session, Now() + 600); $session->flush(); my $localtimenow = localtime(Now()); warn("Process Login Request localtime(rightnow) = '$localtimenow'"); return (2, $sessionname, $sessiondata1, $sessiondata2); } [download] sub LoginUser { my ($query) = @_; my ($day, $month, $year) = (localtime())[3,4,5]; my $localtimenow = localtime(Now()); $month = $month + 1; $year = $year + 1900; warn("Day: '$day' Month: '$month' Year: '$year'"); my $currentdate = sprintf("%04d-%02d-%02d",$year,$month,$day); # warn("LoginUser-JustBefore Open Session Current Time: '$localtim +enow'"); my $sid = $query->param('CGISESSID'); if (!$sid){ warn("Invalid SID at LoginUser "); return 0; } warn("LoginUser-JustBefore Open Session Current Time: '$localtime +now'"); OpenSession($dbh,$sid); warn("LoginUser session: '$session' sid: '$sid'"); my ($result, $login_timeout) = checkTimeinAttempts(); warn("Returned result LoginUsercheckTimeinAttempts $result"); if (($result == 0) \|\| ($result == 4) \|\| ($result == 5)) { if ($result == 5) { warn("Returned result 5: $result"); # $session->delete(); # $session->flush(); return ($result, $login_timeout); } else{ warn("Returned result other than 5: '$result'"); # $session->delete(); # $session->flush(); return $result; } } my $username = $query->param("username"); my $sessiondata2 = $query->param("sessiondata2"); my $passhash = $query->param("passhash"); $adminaccess = ($username eq "admin"); warn("For AdminControl: $username"); warn("For AdminControl: $adminaccess"); my $SQL = qq\|select user_id, password, forename, lastname, expire +from $sql_user_table where username = '$username'\|; warn("Ready to execute SQL: $SQL"); warn("LoginUser-JustBefore Execute Query Current Time: '$localtim +enow'"); my $sth = ExecuteQuery($SQL); my ($uid,$password,$forename,$lastname,$expiredate) = $sth->fetchr +ow_array(); $sth->finish; warn ("LOGIN ATTEMPT USER INFORMATION Uid: $uid username: $usernam +e password: $password ipaddress: $ipaddress"); # if we get an invalid username disconnect,disconnect and return w +ithout access if (!$uid) { warn("Invalid Password manageusers Retrun 0"); # $session->delete(); # $session->flush(); return 0; } # if the users expire date is less then the current date, disconne +ct and # return without access #strip characters so numeric comparison caan be made $expiredate =~ s/-//g; $currentdate =~ s/-//g; warn(" Expire Date: '$expiredate' Current Date: '$currentdate +' "); if($expiredate < $currentdate){ # $session->delete(); # $session->flush(); return 2; } else { $sid = $session->id(); my $sessiondata2s = $session->param('sessiondata2'); # warn("sessiondata2 from session: '$sessiondata2s'"); my $sessiondata2md5p = md5_hex($password . $sessiondata2s); my $passhash1 = md5_hex($password . $username); if (($passhash ne $passhash1) \|\| ($sessiondata2 ne $sessiondata2md5p)) { warn ("SID: '$sid' username: '$username' password: '$password +'"); warn("Hash evaluation failed - $passhash = $passhash1 : $sess +iondata2 = $sessiondata2md5p"); # $session->delete(); # $session->flush(); return 0; } warn("Hash evaluation succeded - $passhash = $passhash1 : $sess +iondata2 = $sessiondata2md5p"); my $timein = time(); $session->param('user_id',$uid); $session->param('username',$username); $session->param('forename', $forename); $session->param('lastname', $lastname); $session->param('timein', $timein); $session->param('timeout', 0); $session->param('attempts',0); $session->param('isloggedin',1); $session->expires('+7d'); $LoggedOn_user_id = $uid; #$session->param("user_id"); #$LoggedOn_user_id = $username =~ /(\d+)/; warn("New User Login LoggedOn_user_id : '$LoggedOn_user_id'"); + #$LoggedOn_user_id = 428; #Expires($session, Now() + (86400*7)); AccessInOutLog($session); #Added 02/18/05 my $isloggedin = $session->param('isloggedin'); warn("Login User : SID '$sid' Session Logged In '$isloggedin' +"); $session->flush(); #Set session cookie on client SetUserSessionCookie('CGISESSID', $sid); my $gmtimenow = gmtime(Now()); my $localtimenow = localtime(Now()); return 3; } } [download]	[reply] [d/l] [select]
Re^20: global var by huck (Prior) on Apr 11, 2017 at 23:44 UTC
The rwo code blocks above do exactly that. No they do not prove anything, you did not show us where that code was, how it was called, nor did you call it in your example. In the code you just showed us there are many reasons those code segments can be skipped leaving $LoggedOn_user_id set to its initial 0 regarding $LoggedOn_user_id being undef at `# $sid = '7032f2c7f5a2c721a483dc75fc29595e'; $session = new CGI::Session("driver:MySQL", $sid, {Handle=>$dbh});` [download] you dont check to see if `$session->id() ne $sid`. If they are not the same it is because either the $sid never existed or that session has expired. in either of those cases a new session-collection and session-id is created and when you try to use `my $username1 = $session->param("user_id");` to set `$LoggedOn_user_id = $username1;` it will be undef as the following code demonstrates. #!/usr/bin/perl use strict; use warnings; select STDOUT; $\| = 1; use CGI; use CGI::Session; my $existn=0; my $sid=make_first(); sleep 10; find_if_exist ($sid); sleep 20; find_if_exist ($sid); find_if_exist('abcd'); exit; sub make_first { my $session = new CGI::Session(undef, undef, {Directory=>'.'}); my $sid=$session->id; $session->expires('+15s'); $session->param('user_id',time); $session->flush(); return $sid; } sub find_if_exist { my $sid0=shift; $existn++; print '****Exist call:'.$existn."\n"; my $session = new CGI::Session(undef, $sid0, {Directory=>'.'}); my $sid=$session->id; my $user=$session->param('user_id'); unless (defined $user) {$user='undef-as-string'; } unless ($sid0 eq $sid) {print "****different "; } print 'sid0:'.$sid0.' sid:'.$sid."\n"; print 'user:'.$user."\n\n"; } [download] result `**Exist call:1 sid0:2bd4a7c8d0001e49e97dc332d6bf619e sid:2bd4a7c8d0001e49e97dc332d6bf +619e user:1491953482 **Exist call:2 ****different sid0:2bd4a7c8d0001e49e97dc332d6bf619e sid:bcd0c394 +67ce09c5b5be9910f9e1798b user:undef-as-string **Exist call:3 ******different sid0:abcd sid:2dd5bc5bc5e297150b1e4c7f58166135 user:undef-as-string` [download]	[reply] [d/l] [select]
Re^21: global var by tultalk (Monk) on Apr 19, 2017 at 02:28 UTC
Re^21: global var by tultalk (Monk) on Apr 20, 2017 at 22:42 UTC