protecting pages from guests

phence

How can I stop guests from entering parts of my web site?

I have already created a member register/login system which inputs the new members data into 2 mysql databases and checks users input (supplied login data) against the the data inside database to authorise the user.

The problem is i still cannot keep guests off of member pages, or keep guests and members off of pages where they must pay for before using that pages service.

What can i do to prevent people from going through the back door?

What is the BEST and MOST secure solution?

I would really appreciate any help on this topic!
Thank-you

planetsim

Well i suggest using either sessions or cookies. Then once either is registered check if they exist if not send them to an error page. Or else keep them on the page.

twopeak

I'm absolutely no php guru, and securing pages is always a delicate thing...

if now you have a login script, did you add some authentication on every page?

what you could do, is store the information about the user once he logged in into an object, and pass that object as a session to every page!
For safety, you could encrypt everything in that object with md5() or something like that... (so far for session stealing)

You can put the session id in a cookie, I don't think there's something really unsafe about that. (except if people can abuse of the cross site scripting, I THINK)

and with userlevels, you could control wether the user has access or not.
and call the page with authentication control everytime a page is being served, to check if the user is allowed to see it!

I leave the coding to you, as I'm not capable of doing it. 🙂

phence

Which approach would be safer? cookies or sessions?

I have tried using sessions before and my attempt failed.

stezz

Iv'e done this many time before.. this is how..

I made a header file (header.inc) and in that file was the top half of my HTML page.. (nav links..ad banners etc etc). Also in that file was some PHP.. before u put your HTML in.. you want to make sure that..

<?php
session_start();
?>

then put the top half of ur HTML in. Whe you reach the end of the header file put this in..

<?php
if(!session_is_registered("ID") && $secure) {
// print out login form informing the user that this is a private page..
exit;
}
?>

the exit bit is important as it kills the script execution there and then. In other words, unless the user has access by supplying a username and password.. the members pages won't get printed. When the user logs in.. it is a good idea to get that user's ID from the DB and store it in a session.. that way.. you can do things like.. "welcome, $username." when they login. In other words you know who's logged in. Using this method.. you could wrote a log file or something (but that's going off the topic a bit). But in the code above.. I used session_is_registered("ID").. when I registered my sessions.. I had..


// data pulled out from db and stored in an array $r

$ID = $r[ID];
session_register("ID");

Now at the top of ALL your member pages.. put

$secure = 1;

This will lock the member pages and force the code in header.inc to run proventing unauthorized access to members pages.

now every page you make for the whole site would look something like..

<?php
include("header.inc"); // contains session_start() and other code
?>

HTML body can go here.. content of whatever page (e.g welcome.php) your making.

<?php
include("footer.inc"); // this would close all the HTML tags left open by header.inc
?>

Here a little example of what would happen if a user attempted to access a member page..

header.inc will be loaded.. the php will do a start_session().. then all the opening HTML tags would be put in place.. then php will check to see if there's a session registered and if the page being requested is locked.. if a session id registered and the page is locked, then the member page would be displayed.. if a session was registered and the page requested was unlocked.. the member page would be displayed.. if no session was registered and the page requested was locked then.. prompt for a user and pass..

This, I believe would be a complete solution to your problem 😉

Good Luck..

Regards, Stezz.

rupertbj

or you can use cookies set to expire when the web browser is exited (all sessions of the web browser must be exited though!) by setting the timeout to either 0 (zero) or less than 0 (zero)...

setcookie( "user", $user, "0" );

the name "user" having been set and approved.

...and then verify the user by the following script:

<?php
if ( empty( $user ) )
	{
	Print "
	<body bgcolor=\"#8080FF\">
	<b>Please register!!!</b>
	";
	exit;
	}
else
	{
	}
?>

N.B. remember the exit; bit as this will prevent the rest of the page being displayed when the script is executed.

Have fun!!!

Rupert

phence

wow! I really do appreciate all of your help! especially "stezz" !!

Stezz that was the perfect solution for my site! it fits in perfect considering I used both header and footer includes!!

Thank-you everyone for your input

sean

trooper

You asked which was safer cookies or sessions

I personally think that session are safer.

My reason for saying this is the following:

1) Some users surf the web with cookies disabled
2) You can actually see the contents of the cookies by simply opening them up

HTH

mahendrakalkura

is this the correct way stezz

<?php

session_start();

if($submit) {
session_register("user_name");
}
if(!session_is_registered("user_name")) {
print("Give me a Name<br>");

<form action="<?php print("$PHP_SELF"); ?>" method="POST">
<input type="text" name="user_name">
<br>
<input type="submit" name="submit" value="submit">
</form>

<?php

exit;

} else {
printf("Welcome $user_name");
}
?>

PyroX

try searching hotscripts.com for complete examples.

phence

Stezz,
What would i have to place in the login script to grant authorization to a member who successfully logged in?

Thank-you
- phence -

phence

This is the script which checks a users supplied username and password against the data in the 'users' database.

Where and How should I grant the authorization?

LOGIN SCRIPT (login.php)

<?php

// This script manages the login process.
// It should only be called when the user is not logged in.
// If the user is logged in, it will redirect back to the calling page.
// If the user is not logged in, it will show a login <form>

include 'include.inc';

set_error_handler("errorHandler");

function check_login($loginUsername, $loginPassword)
{
  global $username;
  global $password;
  global $hostName;
  global $databaseName;
  global $message;

  // Get the two character salt from the 
  // user-name collected from the challenge
  $salt = substr($loginUsername, 0, 2); 

  // Encrypt the loginPassword collected from 
  // the challenge
  $crypted_password = crypt($loginPassword, $salt);

  // Formulate the SQL find the user
  $query = "SELECT password FROM users WHERE user_name = '$loginUsername' AND password = '$crypted_password'";

  // Open a connection to the DBMS
  if (!($connection = @ mysql_pconnect($hostName,  $username, $password)))
     showerror();

  if (!mysql_select_db($databaseName, $connection))
     showerror();

  // Execute the query
  if (!($result = @ mysql_query($query, $connection)))
     showerror();

  // exactly one row? then we have found the user
  if (mysql_num_rows($result) == 1) 
  {
     // Register the loginUsername to show the user is logged in
     session_register("loginUsername");
     $_SESSION["loginUsername"] = $loginUsername;

 // Clear any other session variables
 if (session_is_registered("errors"))
    // Delete the form errors session variable
    session_unregister("errors");

 if (session_is_registered("formVars"))
    // Delete the formVars session variable
    session_unregister("formVars");

 // Do we need to redirect to a calling page?
 if (session_is_registered("referer"))
 {     
    // Then, use it to redirect
    header("Location: {$_SESSION["referer"]}");

    // Delete the referer session variable
    session_unregister("referer");
    exit;
 }
 else
 {
    // Send them to thier own personal Members Directory!  members.php?id=$loginUsername 
	header("Location: members.php?id=$loginUsername");
    exit;
 }
  }
  else
  {
     // Ensure loginUsername is not registered, so the user
     // is not logged in
     if (session_is_registered("loginUsername"))
        session_unregister("loginUsername");

 // Register an error message
 session_register("message");
 $_SESSION["message"] = "Username or password incorrect. Login failed.";

 // Show the login page
 // so the user can have another go!
 login_page();
 exit;
  }        

}

// Function that shows the HTML <form> that is 
// used to collect the user-name and password
function login_page()
{
  ?>
<!DOCTYPE HTML PUBLIC 
    "-//W3C//DTD HTML 4.0 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd" >
  <html>
  <head>
     <title>Login Page</title>
  </head>
  <body bgcolor="white">
<?php
  // Show login status (should be logged out!)
  showLogin();
?>
    <h2>Login Page</h2>
    <form method="POST" action="login.php">
<?php
  // Show messages
  showMessage();

  // Generate the login <form> layout
  ?>
<table>
<tr>
    <td>Enter your username:</td>
    <td><input type="text" size=15 maxlength=30 name="loginUsername"></td>
</tr>     

<tr><td>Enter your password:</td>
    <td><input type="password" size=15 maxlength=8 name="loginPassword"></td>
</tr>
<tr>
    <td><input type="submit" value="Log in"></td>
</tr>
</table>
<br><a href="http://validator.w3.org/check/referer"><img
     src="http://www.w3.org/Icons/valid-html401" height="31" width="88"
     align="right" border="0" alt="Valid HTML 4.01!"></a>
</form>
</body>
</html>
<?php
}

// ------------------

// Initialise the session
session_start();

if (isset($_POST["loginUsername"]))
   $loginUsername = clean($_POST["loginUsername"], 30);

if (isset($_POST["loginPassword"]))
   $loginPassword = clean($_POST["loginPassword"], 12);

// Check if the user is already logged in
if (session_is_registered("loginUsername"))
{
  // If they are, then just bounce them back where
  // they came from
  if (session_is_registered("referer"))
  {
     session_unregister("referer");
     header("Location: $referer");
     exit;
  }
  else
  {
     header("Location: index.html");
     exit;
  }
}

// Have they provided only one of a username and password?
if ((empty($loginUsername) && !empty($loginPassword)) || (!empty($loginUsername) && empty($loginPassword)))
{    

     // Register an error message
     session_register("message");
     $_SESSION["message"] = "Both a username and password must be supplied.";
}

// Have they not provided a username/password, or was there an error?
if (!isset($loginUsername) || !isset($loginPassword) || session_is_registered("message"))
  login_page();
else
  // They have provided a login. Is it valid?
  check_login($loginUsername, $loginPassword);
?>

phence

help? anyone?