I'm having trouble setting myself up as admin in DBMan 2.04. I created a new account for myself and gave myself admin permissions, but when I try to login, I get a login error everytime. When I logged in as admin again and went to the User Management screen, my username and permissions were intact. When I tried to register again under the same name, I got an error indicating that the user already exists (my username and password are in the password file). What am I missing here?

Thanks
Milt

[This message has been edited by mel (edited April 14, 1999).]

Are you sure you're using the correct password? Sometimes it's hard to tell when you're typing them in.

I would suggest logging on as admin again and setting a new password for the username. Be sure to remember that the password is case-sensitive.


------------------
JPD

JPD, I went into admin and deleted myself. Then I created myself again and logged off as admin and logged on as myself, and it worked. Unfortunately, that's not the first time I couldn't log on in succession. The last time though, I tried logging on after the six hour period, and was successful. But I shouldn't have had to do that. I'll keep an eye on this behavior.

Thanks,
M.E.L.

I tried logging in this morning under my new account and was denied. I found that my account had been deleted from the auth directory. Why is my account subject to the default.cfg time limit and guest/author/admin are not? I went into admin and found that my account is still present with the assigned permissions. Everything seems to be OK except for the time limit problem. I'd eventually like to set myself up as the only admin. Suggestions?

Thanks,
M.E.L.

I think maybe I need to explain how the usernames and passwords work.

When you log in, the auth.pl script looks for the username and password in the .pass file and then adds a huge number to the username. Like
"admin.999999999999999999999"
(I don't recall how many numbers but it's a bunch.) For the rest of this post, I'll refer to this as "username.HugeNumber".

Then the script creates a little file in the auth directory, named username.HugeNumber. The only content of the file is the remote host the user logged in from.

Each time you do something the username.HugeNumber is sent to the script, along with any variables that are necessary to do what you want to do. Before the script does anything with the variables, it checks to see if there is a file named username.HugeNumber in the auth directory. If there is, it then checks the username part to see if you are allowed to do what you wanted to do.

If there isn't a file named username.HugeNumber, you get a message "expired user session" and need to log in again with the username and password.

At the same time that it checks the permissions, it checks any other files in the auth directory to see if there are any old files -- ones that have been there for at least 6 hours (or whatever time is set in the .cfg file). If there are any old ones, the script deletes them. Otherwise, your entire webspace would soon be filled with username.HugeNumber files.

I'm wondering if you are maybe entering the username.HugeNumber instead of just the username when you log in. You need to enter just the username.

If you are entering just the username and you are sure your password is being entered correctly, I'm not sure what to tell you. Have you modified the script in any way?

------------------
JPD

Thanks JPD, you've been really helpful and patient with me. I think the code is fine, my problem is understanding how DBMan authentication works. And I still have a few nagging concerns:

1. I took your advice literally this morning and tried logging in using just my username without the password.It worked! But is that the way it's supposed to work? Seems insecure. And why give me an editable text field for the password if nothing is supposed to be entered there? I logged out and logged in again with my username AND password and got a login error.

2. I assume I can get rid of guest/guest, author/author, and admin/admin by deleting them from the password file?

3. On the User Management screen, the password text field allows me to change the password, but the previous entry is encrypted. How can I change an encrypted password? Shouldn't the encryption be transparent to the admin?

Other than the authentication issues, I'm all ready to go.

Thanks again,
M.E.L.

I don't think I suggested that you log on without a password. You should not be able to log on without a password. When I said "You need to enter just the username," I meant just the username without the .HugeNumber, not the username without the password.

This may have come to a point where I need to look at your site to figure out what's going on. I'll also need admin access. You can send me the url and an admin username/password at hall@drizzle.com .


Either that or through the admin page. I think through the admin page is easier.


The encryption is done by the server and there is no way to unencrypt. If you want to change a password, just delete the encrypted password and type in a new, un-encrypted one. The script will do the rest.



------------------
JPD