Ron Borkent
|
| Posted: 01/13/2002, 4:06 AM |
|
Since the security procedure of CC only checks level after login I have a problem. When a user from department A logs in and has level 2 security this is stored. Now he goes to a page from department B that requires level 2 security for their users and he is stil able to acces that page because the level variable is stored and it thinks: he's got level 2 acces so it's ok.
I want the user to automaticly be logged out when he leaves a secured space so he can not get acces to another departments secure area without having to login again.
I thought of using more then 3 levels of security, the standard cc login levels, but that doesn't work. As long as the level is higher then required the user wil gain acces. Maybe if the security wouldn't do a '>=' check but a
'is between x and Y' check this would work.
Any idea's on how to fix this?
|
|
|
 |
Ken Hardwick
|
| Posted: 01/13/2002, 6:22 AM |
|
Ron,
If I understood your question/problem correctly, I have a similar type problem at work. I have designed several web applications with CodeCharge for which each one "should" have its own login/security. However, by default, CodeCharge uses two session variables : sesssion("userid"),Session("userRights").
And, without making any modification..if a user logs into one web application,
then switches over a second web application without logging off,these two session variables still have their original values...which means now they are "logged in" this second application..for which they have not actually logged
into yet.
Ok...here is what I have started doing...in the "login" form...in the three custom events..custom Show,custon Login and custom logout...I change the name of the session variable to something unique for each application.
Something like...note for session("user_ID") has now been changed to session("user_id_app1")...and likewise for user_rights...
for custom login....
'-------------------------------
sLogin = GetParam("Login")
sPassword = GetParam("Password")
bPassed = CLng(DLookUp("Members", "count(*)", "Member_Name =" & ToSQL(sLogin, "Text") & " and Project_ID=" & ToSQL(sPassword, "Text")))
if bPassed > 0 then
'-------------------------------
' Login and password passed
'-------------------------------
Session("UserID_App1") = sLogin
Session("UserRights_App1") = CLng(DLookUp("Members", "Project_ID", "Member_Name =" & ToSQL(sLogin, "Text") & " and Project_ID=" & ToSQL(sPassword, "Text")))
cn.Close
Set cn = Nothing
if not(sPage = request.serverVariables("SCRIPT_NAME")) and not(isEmpty(sPage)) then
response.redirect(sPage & "?" & sQueryString)
end if
response.redirect(".asp")
else
sFormErr = "Login or Password is incorrect."
end if
'-------------------------------
Then same changes need to be made for the other two custom events.
Also, you will need to modify the CheckSecurity function that is in the common.asp generated page...copy the created function..paste it into the
global function area..and then modify these two session names with their new name.
See example below...
Note: once you have added this function to the global function and generated the common.asp file..you will be able to find this checksecurity function twice..once as the original and once as the one you added to the global function. This second one is the one that is used..not sure why..but this makes it easy to modify the "original" functions...
function CheckSecurity(iLevel)
if Session("UserID_App1") = "" then
cn.Close
Set cn = Nothing
response.redirect(".asp?QueryString=" & toURL(request.serverVariables("QUERY_STRING")) & "&ret_page=" & toURL(request.serverVariables("SCRIPT_NAME")))
else
if CLng(Session("UserRights_app1")) < CLng(iLevel) then
cn.Close
Set cn = Nothing
response.redirect(".asp?QueryString=" & toURL(request.serverVariables("QUERY_STRING")) & "&ret_page=" & toURL(request.serverVariables("SCRIPT_NAME")))
end if
End if
end function
I believe this should resolve your problem. If not,please repost your question.
Ken Hardwick
www.kenhardwick.
Norman,Ok
ken@kenhardwick.com
|
|
|
|
Ron Borkent
|
| Posted: 01/13/2002, 7:32 AM |
|
My problem is exactly as you discribed it. I was thinking that it should be possible to let PHP check if a user is stil within a certain domain and if not automaticly logout with the session_unregister("UserRights") and session_unregister("UserId"). I use different url's for each project e.g.:
financial department is in http:\localhost\intranet\FZ
Personel department is in http:\localhost\intranet\PO
Wouldn't it be possible to let php check this and if a user that logged on in the financial url goes to personel, he automaticly is logged out?
|
|
|
|
Ken Hardwick
|
| Posted: 01/13/2002, 7:55 AM |
|
In respect to checking URL logged into...
You could, in each application, at login..set a session variable..
on successfully login..for the application under FZ directory...
session("url") = "FZ"
Then in the check security function..
add at beginning of function...
if Session("url") <> "FZ" then
Session("UserID") = ""
Session(UserRights") = ""
end if
Ken Hardwick
|
|
|
|
Ron Borkent
|
| Posted: 01/13/2002, 1:29 PM |
|
I took your lead and solved it. Your example was in ASP I believe so I had to tinker around some what.
I do a custom login, after adding the field domain in my login table.
It now gets id, level and domain from the table and puts it into session variables UserId, UserRights and DomainRights.
Then for each secured page I do custom security where besides the check_rights() I added:
If(get_session("DomainRights") <> "fz")
{
session_unregister("UserId");
session_unregister("UserRights");
header("Location:loginfail.php");
}
So now the user gets redirected to a page that tells him he has to re login and gives him the opportunity to do so.
Thanks for your help
Ron
|
|
|
|
oishyasan
|
| Posted: 03/19/2002, 8:46 AM |
|
Ken,
I have tried this out - it works fine, but there is still the problem that a user can just log out of the first and log in at the other site's login section.
I have decided that making a new table for the members' login details for each new portal is the best way to go - including the system you have outlined.
For example, for Portal X: make table: portal_x_login: login, password, member_id and for the general members table with all the other details. At registration, the general table will be inserted with the details, then just the login details will be inserted into the portal_x_login table. Then only people who registered for that portal can login at that portal.
What do you think? It requires extra code at registration/change to insert/update the new table, but is there any other solution when using the same members table?
Regards
|
|
|
|
|
