Logging in script problems

Rodders

I have pages on my website which are intended only for authorised users. So I have created a function which checks a cookie to see if the user is logged in:

function checklogin($successurl) {

  if (! $_COOKIE['loggedin'] == "Y" ) {
   header("Location:../login.php?gotourl=$successurl"); exit();
  } else {
   return "Y";
  }

}

I realise that this cookie isn't very secure, but that's not the issue just yet.

The login.php script on loading for the first time will display a form asking for User ID and Password. The form is METHOD=POST ACTION=$PHP_SELF so it tests to see if the 'login' button has been pressed and then attempts to login.

The login is simple, it just looks up the user table for any rows matching user ID and password. Then the script checks that something was found, if so it sets the cookie and redirects back to the original intended page:

  if ($numrows != 0) {
   setcookie("loggedin", "Y", time()+86400);
   header("Location:$gotourl");}
  else {
   echo "Failed to login " . $userid . ".";
   echo "<BR>";
   echo "Try again.......";}

Obviously once it goes back to the original page it performs the function to check the cookie again which should be successful and return to the page to finish off.

My problem is........ I have to enter the user ID and password twice correctly before it proceeds ! I'm guessing this is something to do with the cookie not being passed correctly when the header() function is called, but I really don't get it.

Any suggestions.

Is there a way I can post my code in full to make it clearer?

raymie

Any particular reason why you are using cookies and not sessions.

Sessions are more reliable since they are not dependant on the client machine accepting and retaining them.

Rodders

Yes. I am new to PHP and server-side coding and had forgotten about sessions from my book! Or rather, I thought they were one in the same thing.

I'll have a look at doing it with sessions instead. Any hints?

raymie

It depends on what version of PHP you are using but I will assume that it a version above 4.2.0 and is so then your book is probably wrong unless written after then.

Main things to know (in my opinion).

each page should start with

session_start();

DO NOT use the session_register or related functions.

Use instead the super global array $_SESSION. This is a super global array which means that you do not need to use the global command when referring to the array within functions.

If you want to setup a new session variable then...

$_SESSION['new_variable'] = $value;

Session variables should be treated as per any other variable.

Another difference from your book perhaps is that the php setting register_globals may be 'off' on your server now (it is the default setting now in PHP) but most books still assume that the setting is on and that global arrays will be resolved ie if there is a GET variable on the url such as page.php?var=1 then the books assume that in the program the variable $var will be set, this may not be the case anymore and instead you would refer to the field as $_GET['var'].

The reasons behind this change is security and the same applies to session variables. Always refer to them using the $_SESSION array and you can't go wrong, never assume that they will be resolved to normal variable names.

sfullman

Roddie,

save these as the files I direct, put them somewhere, and you'll have no problem:

save this as index.php:

<?php
session_start();

#THESE CAN BE MOVED TO A SEPARATE PAGE
$settings['administratorUserName']='something';
$settings['administratorPassword']='something1';
if($logout){$HTTP_SESSION_VARS['Login']='';unset($HTTP_SESSION_VARS['Login']);}

if($HTTP_POST_VARS){//form submission
if( $HTTP_POST_VARS['un']==$settings['administratorUserName'] and
$HTTP_POST_VARS['pw']==$settings['administratorPassword']){
//log them in
$HTTP_SESSION_VARS['Login']='Administrator';
//show the results page
#redirect so we don't have to refresh page every time we hit the back button
header('Location: index.php');
//just in case they don't have redirects
include('index_result.php');
}else{
//show the login form
$errMessage=1;
include('index_form.php');
}
}else{
if($HTTP_SESSION_VARS['Login']=='Administrator'){
//show results page
include('index_result.php');
}else{
//show login page
include('index_form.php');
}
}
?>

save this as index_form.php:

<h4><br>
<?php if($errMessage){ ?>
</h4>
<p> <b>Sorry, your user name and password were not correct, <br>
please try again:</b>

<?php } ?>
<br>
Please enter your user name and password to log in:<br>
</p>
<form name="form1" method="post" action="<?php echo $PHP_SELF;?>?submit=1">
<table width="50%">
<tr>
<td>User Name:</td>
<td>
<input type="text" name="un">
</td>
</tr>
<tr>
<td>Password:</td>
<td>
<input type="password" name="pw">
</td>
</tr>
<tr>
<td>
<input type="submit" name="Submit" value="Submit">
</td>
<td> </td>
</tr>
</table>
</form>

then save this as index_result.php

<?php
//this is a very neat little one-line security for include files:
if(!stristr($PHP_SELF,'index.php')){exit('This is on or near line 1 -- you have attempted to reach an include file, please use the parent file -- stop all processing');}?>
<h4><font color="#009999" face="Verdana, Arial, Helvetica, sans-serif">You are
now logged in</font></h4>
<p>If you can see this page, that is...</p>