Login script

Anon

Hi!
Is there anyone out there willing to help me with a login script for my community?
I'm using sessions to save username and status(logged in or not), but I can't get it to work as I want it to.
Do you know if there are any good and safe scripts for free, or can you help me with my problem?

/ Help!

Anon

What method of authentication, and how are you verifing that in each page of your site?

And is your intention simply to know who is doing what or are you restricting access to sensitive information?

Anon

Thanks for answering.
I'we tried to build it up by saving login-status and username in a session, but it dosen't work as I want (sessions are a bit tricky...).
This is how my simple code looks right now:

$user & $pwd comes from the login-form on index.php...

-- login.php: --
<?
$login = false;

$connect = mysql_connect();
mysql_select_db("x");
$query = mysql_query("SELECT * FROM the_user_table WHERE user='$user'");
$row = mysql_fetch_array($query);
mysql_close($connect);

if (mysql_num_rows($query) == 0) {
print ("Unregisterd username. ");
exit;
} else {
if ($row["pwd"] == $pwd) {
session_register("login");
$login = true;
} else {
print ("Incorrect password or username! ");
exit;
}
}

header ("Location: main.php")
?>

-- main.php: --
<?
if (session_is_registered("login")) {
session_start();
if ($login == true) {
print ("Logged in ");
?>
<A href="logout.php">Log out</A> 
<?
} else {
print ("NOT logged in! ");
}
} else {
print ("Don't try to trick me! ");
}
?>
<A href="index.php">Back to index</A>

-- logout.php --
<?
session_start();
session_destroy();
print ("Logged out. ");
print ("<A href=\"index.php\">Log in again</A>");
?>

Please tell me how to make this code GOOD!
/ Thanks Linus

Anon

First off, I never store an unencrypted passwords in sessions, or any password if I can get around it which usually isn't that difficult.

I am in the habbit of registering an array as the session var the stuffing everything into that. Less chance of forgetting to unset something. Plus easier if you need to pass a full array from a database, such as user info, into the session var. In the example below the session var array is $DATA and everything else is an associative member of it (ie $DATA[username])

Note that this code isn't tested so may need some tweaking...

<?
session_start();
IF($user!="" && $pwd!="") //
{
$connect = mysql_connect();
mysql_select_db("x");
$query = mysql_query("SELECT * FROM the_user_table WHERE (user='$user' AND pwd='$pwd'");
IF($mysql_num_rows($query)==1)
{
$row = mysql_fetch_array($query);
$DATA=array("user"=>$row);
$DATA["user"]["pwd"]=md5($pwd);
session_register("DATA");

}
mysql_close($connect);
header ("Location: main.php")

}
ELSE
{
print "Incorrect Login. Please try again.";
}

-- main.php: --
<?
session_start();
if ($HTTP_SESSION_VARS["DATA"]["user"])
{
// Authenticated

?><A href="logout.php">Log out</A> <?

}
else
{
// Auth failed

 header("location:.")

}

-- logout.php --
<?
session_start();
session_unregister("DATA");
session_destroy();
print ("Logged out. ");
print ("<A href=\"index.php\">Log in again</A>");
?>

Anon

Wrong clipboard... The first section should have been:

session_start();

IF($user!="" && $pwd!="")
{
$connect = mysql_connect();
mysql_select_db("x");
$query = mysql_query("SELECT * FROM the_user_table WHERE (user='$user' AND pwd='$pwd'");
IF(mysql_num_rows($query)==1)
{
$row = mysql_fetch_array($query);
$DATA=array("user"=>$row);
$DATA["user"]["pwd"]=md5($pwd);
session_register("DATA");
mysql_close($connect);
header ("Location: main.php")

}
mysql_close($connect);

}

print "Incorrect Login. Please try again.";