are those log messages from both the one that was failing and the one that worked? its hard to tell. The one that failed. No log from the one that worked . Ran in Padre and can't find log.
"You have yet to prove that you are actually setting $manageusers::LoggedOn_user_id by code that is being run anywhere."
The rwo code blocks above do exactly that.
Entire code at end Filled with comments
You say: In particular where $uid gets set before you run $LoggedOn_user_id = $uid; .
$uid is popuated earlier in processing a new logon.
"and i can become any user i want to be by manipulating the user_id parm i send back to you, that doesn't seem very secure does it? It is easy to create code that sends back any value i want in the user_id field"
That makes no sense to me. When a legitimate user tries to log in, the username and password are encrypted and sent back for comparison to the username/password from the database as encrypted by the same algorithm on the server.
#--------------------------------------------------------------------- +---------- # FUNCTION: ProcessLogonRequest($query) # DESCRIPTION: Client requests log in: create session and send encrypt +ion data #--------------------------------------------------------------------- +---------- sub ProcessLoginRequest { my ($query) = @_; my $status = 0; # $sessionname = 'CGISESSID'; # my %cookies = CGI::Cookie->fetch; # my $sid = $cookies{$sessionname}->value; my $sid = GetUserSessionCookie(); warn("ProcessLoginRequest Query: '$query'"); warn("ProcessLoginRequest SID from cookie: '$sid'"); #Check if it got valid return from fetch cookie if ($sid ne 0){ $status = 1; } #Or, check if valid return from cgi query elsif($query){ # if (exists $query{$sessionname}){ $sid = $query->param($sessionname); if ($sid){ warn("ProcessLogin Request SID from Query: '$sid'"); $status = 1; } else{ $sid = undef; $status = 2; } } else { #Set up for creating a new session $sid = undef; $status = 2; } # $sid = '7032f2c7f5a2c721a483dc75fc29595e'; $session = new CGI::Session("driver:MySQL", $sid, {Handle=>$dbh}); warn("session = '$session'"); OpenSession($dbh,$sid); $session->param("#<expires>#",0); $session->param("isloggedin",0); $session->flush(); $sid = $session->id(); warn("ProcessLogin Request SID from from session create: '$sid'"); my $sessiondata1 = $sid; #id created by CGI::Session; if ($status == 1) { warn("Process Login returning after confirmed already logged in: s +tatus: '$status' sessionname: '$sessionname' SID: '$sid'"); my $username1 = $session->param("user_id"); warn("username1 : '$username1'"); #my ($digits) = $text =~ /(\d+)/; #my ($user_id) = $username1 =~ /(\d+)/; #my $text = $username1; #$text =~ m/(\d+)/; #my $num = $1; #warn("num: '$num'"); #$username1 =~ m/(\d+)/; $LoggedOn_user_id = $username1; warn("Already logged on LoggedOn_user_id : '$LoggedOn_user_id'"); + #$LoggedOn_user_id = 428; $adminaccess = ($username1 eq "admin"); warn("username1: '$username1'"); warn("adminaccess: '$adminaccess'"); $session->param("isloggedin",1); $session->param('timein', time()); $session->flush(); return (1, "Your previous session is still valid. You are now logg +ed in.", $sid, 0); } warn("Process Login after verify not logged in and new session: stat +us: '$status' sessionname: '$sessionname' SID: '$sid'"); #Random hash for encoding password my $seed_number = CreateRandomSequence(10, 1); my $seed_string = CreateRandomSequence(10, 0); my $sessiondata2 = md5_hex($ipaddress . $seed_number . $seed_string) +; $session->param('sessiondata2',$sessiondata2); $session->expires('+7d'); # Expires($session, Now() + 600); $session->flush(); my $localtimenow = localtime(Now()); warn("Process Login Request localtime(rightnow) = '$localtimenow'"); return (2, $sessionname, $sessiondata1, $sessiondata2); }
sub LoginUser { my ($query) = @_; my ($day, $month, $year) = (localtime())[3,4,5]; my $localtimenow = localtime(Now()); $month = $month + 1; $year = $year + 1900; warn("Day: '$day' Month: '$month' Year: '$year'"); my $currentdate = sprintf("%04d-%02d-%02d",$year,$month,$day); # warn("LoginUser-JustBefore Open Session Current Time: '$localtim +enow'"); my $sid = $query->param('CGISESSID'); if (!$sid){ warn("Invalid SID at LoginUser "); return 0; } warn("LoginUser-JustBefore Open Session Current Time: '$localtime +now'"); OpenSession($dbh,$sid); warn("LoginUser session: '$session' sid: '$sid'"); my ($result, $login_timeout) = checkTimeinAttempts(); warn("Returned result LoginUsercheckTimeinAttempts $result"); if (($result == 0) || ($result == 4) || ($result == 5)) { if ($result == 5) { warn("Returned result 5: $result"); # $session->delete(); # $session->flush(); return ($result, $login_timeout); } else{ warn("Returned result other than 5: '$result'"); # $session->delete(); # $session->flush(); return $result; } } my $username = $query->param("username"); my $sessiondata2 = $query->param("sessiondata2"); my $passhash = $query->param("passhash"); $adminaccess = ($username eq "admin"); warn("For AdminControl: $username"); warn("For AdminControl: $adminaccess"); my $SQL = qq|select user_id, password, forename, lastname, expire +from $sql_user_table where username = '$username'|; warn("Ready to execute SQL: $SQL"); warn("LoginUser-JustBefore Execute Query Current Time: '$localtim +enow'"); my $sth = ExecuteQuery($SQL); my ($uid,$password,$forename,$lastname,$expiredate) = $sth->fetchr +ow_array(); $sth->finish; warn ("LOGIN ATTEMPT USER INFORMATION Uid: $uid username: $usernam +e password: $password ipaddress: $ipaddress"); # if we get an invalid username disconnect,disconnect and return w +ithout access if (!$uid) { warn("Invalid Password manageusers Retrun 0"); # $session->delete(); # $session->flush(); return 0; } # if the users expire date is less then the current date, disconne +ct and # return without access #strip characters so numeric comparison caan be made $expiredate =~ s/-//g; $currentdate =~ s/-//g; warn(" Expire Date: '$expiredate' Current Date: '$currentdate +' "); if($expiredate < $currentdate){ # $session->delete(); # $session->flush(); return 2; } else { $sid = $session->id(); my $sessiondata2s = $session->param('sessiondata2'); # warn("sessiondata2 from session: '$sessiondata2s'"); my $sessiondata2md5p = md5_hex($password . $sessiondata2s); my $passhash1 = md5_hex($password . $username); if (($passhash ne $passhash1) || ($sessiondata2 ne $sessiondata2md5p)) { warn ("SID: '$sid' username: '$username' password: '$password +'"); warn("Hash evaluation failed - $passhash = $passhash1 : $sess +iondata2 = $sessiondata2md5p"); # $session->delete(); # $session->flush(); return 0; } warn("Hash evaluation succeded - $passhash = $passhash1 : $sess +iondata2 = $sessiondata2md5p"); my $timein = time(); $session->param('user_id',$uid); $session->param('username',$username); $session->param('forename', $forename); $session->param('lastname', $lastname); $session->param('timein', $timein); $session->param('timeout', 0); $session->param('attempts',0); $session->param('isloggedin',1); $session->expires('+7d'); $LoggedOn_user_id = $uid; #$session->param("user_id"); #$LoggedOn_user_id = $username =~ /(\d+)/; warn("New User Login LoggedOn_user_id : '$LoggedOn_user_id'"); + #$LoggedOn_user_id = 428; #Expires($session, Now() + (86400*7)); AccessInOutLog($session); #Added 02/18/05 my $isloggedin = $session->param('isloggedin'); warn("Login User : SID '$sid' Session Logged In '$isloggedin' +"); $session->flush(); #Set session cookie on client SetUserSessionCookie('CGISESSID', $sid); my $gmtimenow = gmtime(Now()); my $localtimenow = localtime(Now()); return 3; } }
In reply to Re^19: global var
by tultalk
in thread global var
by tultalk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |