Sequred pages after LoginForm

Anon

How do I do this..
I know I´ve posted this
Issue about 2-3 times before
here, and alot of you guys
have tried to help me..
But it still doesnt work.

Right now, my script looks like this:

(((INDEX.php <- the Login page)))
<?php
if (!isset($doCheck)) {
?>
<head><title>Login</title></head>
<body>
<form method="post" action= <? echo "$php_self" ?>>
<input type="hidden" name="doCheck" value="1">
<input type="textfield" name="name">
<input type="password" name="passwd">
<input type="submit">
</form>
</body>
<? }
else {
$sybase = sybase_connect("blabla" , "blabla" , "");
sybase_select_db("blabla");
$sql = sybase_query("SELECT Login, Password from anvaendare WHERE Login = '$name' AND Password = '$passwd'");
$result = $sql;
$num_of_rows = @sybase_num_rows($result);
if ($num_of_rows < 1) {
print "<H1>Sorry, wrong username and password</H1>";
sybase_close();
exit();
} else {
}
sybase_close();
header("Location: val.php");
}
?>

(((And my val.php <- The sequred page)))

<?php
if ($submit) {
if ($REQUEST_METHOD != 'POST') {
?>

<head><title>Inloggad</title></head>
<body>
<h2>Vad vill du göra?</h2><p>
<a href="komm.htm">Mata</a> in ett kommando till DB?<br>
<a href="store.php">Infoga</a> en fil till DB?<br>
<a href="getdata.php">Mata</a> ut en fil från DB?<br>
<a href="input.php">Skriva</a> in en text till DB?<br>
<?
exit();
}
else {
echo 'Sorry, Illegeal request';
}
}
?>
</body>

Sorry for printing this much in the
Forum!

/Chess

Anon

I am unclear what the secure page is doing with the "if ($submit) {" since there is no submit button on this page and this page is not accessed from a form but rather a redirect after successful login. Also, the page is not retrieved via a "POST" request is it? I'm not sure what flags are set on redirect and which variables are passed but I have a feeling nothing is. I will have to investigate and let you know. What just wondering if you still needed help. Let me know if you still need help, as I have been working hard on my own login/password leading to secured pages and it has been quite a bit of work.

Anon

Yes, I am still VERY interested
in how to do this,
I am quite stuck in this.

I would be greatful if you could
somehow help me with this!

Thanks alot scott

/Chess

Anon

hmm, here's the way I did my secured pages. I have a page to do the login. On this page I create, what I call a session ID. I store the session ID, username and access level in a database. I than redirect the person to the secured page passing the session ID(e.g. Header: ("Location: secured.php?sessionid=$essionid")😉
On any page that is secured, I call a function to verify the sessionid that is passed to the page and the accesslevel. This way someone cannot call the secured page directly.
I avoid using cookies at all this way and I can make sure that pages cannot be called without logging in first. Plus the database makes a handy login record.

Anon

Can you please get me some sort of Script for this? 🙂 plz.!

Anon

try this on for size. this is probably not the best way to do things but it works for me. The only mystery function you need to worry about is isLoggedIn(); which is in the file verifylogin.inc. isLoggedIn() returns the access level of the person logged in or 0 if the person is not logged in. your table of users just needs to contain a userid and password as an md5 hash and an integer representing the level of access that person has. This allows you to show some things to some people and not others based on access level. hope this helps. Parse through the code and let me know where I made a mistake :-)
=-=-= CODE START =-=-=

<HEAD>
<TITLE>Site Admin</TITLE>
</HEAD>
<BODY BGCOLOR="#000000" TEXT="#FFFFFF" link="#4D4DFF" vlink="#8F8FBD"">
<FONT FACE="Verdana, Helvitica, Arial, Helvetica">
<?
include("verifylogin.inc");
$acclevel = isLoggedin($sessionid);
if (!$acclevel) { // if not logged in or access level = 0 do this
$db = mysql_connect("localhost", "youruserid", "yourpassword");
mysql_select_db("yourdatabasename",$db);
if ($submitlogin) {
$sql = "SELECT * FROM users WHERE id='$loginname'";
$result = mysql_query($sql);
if ($result) { // if your name is found
$data = mysql_fetch_array($result);
$userpass = $data["pword"];
$kickme = 0;
} else { // if name not found, no login possible
$kickme = 1;
}
if (($userpass == md5($password)) && (!$kickme)) { // if password matches, and user exists get user profile
$id = $data["id"];
$name = $data["name"];
$ip = getenv("REMOTE_ADDR");
$timestamp = time();
$acclevel = $data["access"];
$hashvalue = $id . $userpass . $timestamp;
$sessionid = md5($hashvalue);
$sql = "INSERT INTO loggedin (name, ip, timestamp, access, sessid) ";
$sql .= "VALUES ('$id', '$ip', '$timestamp', '$acclevel', '$sessionid')";
$result = mysql_query($sql);
} else { // if passwords do not match prompt again
?>
Login Unsuccessfull Please Try Again<br>
<P>
<form method="post" action="<?php echo $PHP_SELF?>">
Login Name:<input type="Text" size="15" name="loginname"><br>
Password: <input type="Password" size="15" name="password"><br>
<input type="Submit" name="submitlogin" value="Enter information">
</form>
<?
}
} else { // this part happens if we don't press submit
?>
You are not logged in<BR>
<P>
<form method="post" action="<?php echo $PHP_SELF?>">
<TABLE BORDER=0>
<tr><td>Login Name:</td><td><input type="Text" size="15" name="loginname"></td><tr>
<tr><td>Password:</td><td><input type="Password" size="15" name="password"></td></tr>
<tr><td colspan=2 align=center><input type="Submit" name="submitlogin" value="Enter information"></td></tr>
</TABLE>
</form>
<a href="login.php">Add New User</a><br>
<?
}
}
if ($acclevel > 6) { // load this area if access higher than level 6

}
?>
</body>

Anon

Well, I get:

Warning: Failed opening 'verifylogin.inc' for inclusion (include_path='') in /www/htdocs/testa/scott.php on line 7

Fatal error: Call to undefined function: isloggedin() in /www/htdocs/testa/scott.php on line 8

Anon

Also,

Do I need to add a new table
called 'loggedin'
With the columns:
Name, Ip, Timestamp, Access & SessID

????

Anon

And also..

What script shall I put on my sequred
pages?

Anon

here is my verifylogin.inc file.
yes you need to make two tables actually. one called users and one called loggedin. I'm sure you can decipher the columns needed from the code.
at the top of the each page you want secured put this code:
<?
include("verifylogin.inc");
$acclevel = isLoggedin($sessionid);
if ($acclevel > 6) {
// put secured info here
} else {
// error message or a redirect to the login page
// for example:
Header( "Location: index.html" );
}
?>
and here is the inc file
=-=-= CODE START =-=-=
<?
function isLoggedin($sessionid) {
// this function will return 0 if the user is not logged in
// or the accesslevel of the user who is logged in
include("datediff.inc");
$loggedin = 0;
$db = mysql_connect("localhost", "root");
mysql_select_db("unionbob", $db);
$sql = "SELECT * FROM loggedin WHERE sessid='$sessionid'";
$result = mysql_query($sql) or die ("Query failed!");
if ($result) {
$loggedin = 1;
$myrow = mysql_fetch_array($result);
$id = $myrow["name"];
$ip = $myrow["ip"];
$ipnow = getenv("REMOTE_ADDR");
$loggedin = $myrow["access"];
$ts = $myrow["timestamp"];
$timenow = time();
if (datediff("n",$ts,$timenow) > 60) {
$loggedin = 0;
} else {
$sql = "UPDATE loggedin SET timestamp='$timenow' WHERE sessid='$sessionid'";
$result = mysql_query($sql) or die ("Update Query Failed");
}
if ($ip != $ipnow) {
$loggedin = 0;
}
} else {
$loggedin = 0;
}
return $loggedin;
}
?>

Anon

What kind of Columns and Variables
shall I have in the LoggedIn table?

Anon

I´m sorry, but I never really Understood

Is this the veryfylogin ? and How am I supposed to save this 1 ?, as
verifylogin.ini ?
And,, What script was I supposed to have on the Sequred page?
Thanks!

Anon

yes the file was to be named verifylogin.inc
upon looking at your confusion, perhaps it would be better to try the user authentication script here at phpbuilder? I'm not sure. My solution is rather complicated and that's just because I tried to cover everything possible and still not use any cookies. If you are willing to use cookies, like in the solution here at phpbuilder it is very simple and very easy because the essay is written with the intent that anyone can read it and plug it into their site. My solution was homebrewed just for my site. I had no intention of making it easy to use for anyone else. I just thought I'd help since I had just finished coding it and you needed help getting code to work.
If you read through the code I sent you the columns you need are all in there. I really don't want to flood this channel with any more code than I already have, like the mysql table dumps for all the tables used. Are you looking to write the code yourself or are you looking for a drop in solution? If you want to code it yourself I will be more than happy to help, if you are looking for a drop in solution I don't think mine is the best to look at since I am a newbie when it comes to PHP, just started not too long ago.
As for what to put on the secured pages, I sent that in the last message. Just basically a call to isLoggedIn and checking the accesslevel that is returned by that function. Have Fun! :-)