--- the signin php main page --

<?php $pathToRoot=dirname($_SERVER['SCRIPT_FILENAME'])."/"; ?>
<?php include($pathToRoot."includes/phpheader.php"); ?>
<?php include($pathToRoot."includes/httpheader.php"); ?>
<?php include($pathToRoot."includes/signin.php"); ?>
<?php

// Check if we have established a session
if (isUserSignedIn())
{
  // There is a user logged on
  outputSignedOnPage($_SESSION["authenticatedUser"]);
}
else
{
  // No session established, no POST variables 
  // display the sign-in form + any message
  outputSignInPage($_SESSION["sessionMessage"]);

  session_destroy();
}

?>


--- the signin.php include is listed below ---

<?php
// include guards
if (!$INCLUDED_SIGN_IN_PHP):
$INCLUDED_SIGN_IN_PHP = 1;

//
// Function that returns the HTML FORM that is 
// used to collect the username and password
//
function outputSignInPage($sessionMessage)
{
	global $pathToRoot;
	global $URLToRoot;
	global $queryVars;
	
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<?php include($pathToRoot."includes/htmlheader.php"); ?>
<title>Sign In</title>
</head>
<body>
<?php include($pathToRoot."includes/banner.php"); ?>
	<table width=<?php echo "\"".getPageWidth()."\"" ?>  border="0">
	  <tr>
		<?php if (!(int)$queryVars['isPrintable']) include($pathToRoot."includes/navigation.php"); ?>
		<td valign="top"><div class="headerImageText">Sign In</div>
<?php
		  // Include the formatted sign in message
		  if (isset($sessionMessage))
			echo "<p class=\"sessionMessage\">".$sessionMessage."</p>";
			
		  // Deduce the URL to go to after authentication. If we aren't told,
		  // just go to the main page
		  if (!array_key_exists('fromURL', $queryVars))
		    $queryVars['fromURL'] = $URLToRoot;
?>
			<form method="POST" action=<?php echo "\"".$URLToRoot."authentication.php?fromURL=".urlencode($queryVars['fromURL'])."\""?>>
			<table align="center">
			<tr>
				<td colspan="2"><h3>Sign In</h3></td>
			</tr>
		  <tr><td colspan="2">&nbsp;</td></tr>
		  <tr><td>Username:</td>
			  <td><input type="text" size=15 
					   maxlength=25 
					   name="formUsername"></td></tr>     
		  <tr><td>Password:</td>
			  <td><input type="password" size=15 
					   maxlength=25
					   name="formPassword"></td></tr>
		  <tr><td colspan="2">&nbsp;</td></tr>
		<tr><td colspan="2" align="right"><input type="submit" value="Sign in"></td></tr>
		</table>
		</form>
		  </td>
	  </tr>
	</table>
<?php include($pathToRoot."includes/info.php"); ?>
</body>
</html>
<?php
}  

//
// Function that returns HTML page showing that 
// the user with the $currentSignInName is signed on
//
function outputSignedOnPage($currentSignInName)
{
	global $pathToRoot;
	global $URLToRoot;
	global $queryVars;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<?php include($pathToRoot."includes/htmlheader.php"); ?>
<title>Sign In</title>
</head>
<body>
<?php include($pathToRoot."includes/banner.php"); ?>
	<table width=<?php echo "\"".getPageWidth()."\"" ?>  border="0">
	  <tr>
		<?php if (!(int)$queryVars['isPrintable']) include($pathToRoot."includes/navigation.php"); ?>
		<td valign="top"><div class="headerImageText">Sign In</div>
			<p class="sessionMessage">You are currently signed in as <?php echo "\"".$currentSignInName."\".</p>"; ?>
  		    <p align="center"><a href=<?php echo "\"".$URLToRoot."signout.php\""?>>Sign Out</a></p>
		  </td>
	  </tr>
	</table>
<?php include($pathToRoot."includes/info.php"); ?>
</body>
</html>
<?php
}  

endif; // $INCLUDED_SIGN_IN_PHP
?>


------- authentication page ---
<?php

$pathToRoot=dirname($_SERVER['SCRIPT_FILENAME'])."/";
include($pathToRoot."includes/phpheader.php");
include($pathToRoot."includes/httpheader.php");
include($pathToRoot."includes/database.php");

  // Clean the data collected from the user
  $appUsername = 
    EscapeShellCmd(substr($HTTP_POST_VARS["formUsername"], 0, 25));
  $appPassword = 
    EscapeShellCmd(substr($HTTP_POST_VARS["formPassword"], 0, 25));

  $authenticated = authenticateDatabaseUser($appUsername, $appPassword);
  if ($authenticated) 
  {
    // Register the username
    $_SESSION["authenticatedUser"] = $appUsername;

    // Register access priviledges
    if (!empty($accessPriviledges))
        $_SESSION["accessPrivs"] = implode(",", $accessPriviledges);
	
	  $newURL = "";
	  
      // Deduce the URL to go to after authentication. If we aren't told,
      // just go to the main page
      if (array_key_exists('fromURL', $queryVars))
        $newURL = $queryVars['fromURL'];
      else
        $newURL = $URLToRoot;

	  // Relocate back to the desired page
	  header("Location: ".$newURL);      
  }
  else
  {
    // The authentication failed
    $_SESSION["sessionMessage"] = "Could not sign in as \"$appUsername\".<br />Please check the username and password and try again.";

	  // Relocate back to the sign-in page
	  header("Location: ".$URLToRoot."signin.php");      
  }
?>