i'm having trouble with AUTH/SESSIONS

com3

i'm trying to set up a password protected DIR on my site... i've gotten everything setup with added a user/pass via MySQL....but i don't know how to set up SESSIONS...

anyone have any advice?

thanx in advance for your help fellas.

chr158

Hi There,

Are you using an actual DB TABLE for storing the users and passwords? In my current project I am using the actual DB users and logins to control security and viewing roghts. I find this much more secure than allowing default access to the DB and then validating when a connection the DB has been granted.

As for the sessions, I am no expert at all, in fact i stuggle with it myself to be perfectly honest. I find that ensuring the php,ini is set up allow auto sessions, most things work fine.

Hope this helps - it'll probably just confuse matters.

com3

this is what i've got. i works perfectly...i mean, if they've already created a username and password (which works perfectly as well), then they can login just fine.

the thing i'm trying to so is create a SESSION as well...that way, if someone tried to access the ./only/ DIR directly, via bookmark, or hot link, or whatever, they'd be automatically kicked over to the login page, and not be able to have any type of access without loggin in.

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
Username:<input type="text" name="username">
Password:<input type="password" name="password">
<input type="submit" name="Submit" value="Login">
</form>
</td></tr></table></td></tr></table>
<?php

} else {

mysql_connect('localhost','USERNAME','PASSWORD') or die ('Unable to connect to MySQL');
mysql_select_db('DBNAME') or die ('Unable to connect to database');

$username = $_POST['username'];
$password = $_POST['password'];

$mysql_query = mysql_query("SELECT * FROM members WHERE name = '$username' AND password = '$password' LIMIT 0,1");
$mysql_rows = mysql_num_rows($mysql_query);
echo mysql_error();

if ($mysql_rows == 1) { //Logged in
    while($rows = mysql_fetch_array($mysql_query)) {
        header("Location: ./only");
        echo 'Name:'.$rows['name'].'<br>';
        echo 'Password:'.$rows['password'].'<br>';
        echo 'Email:'.$rows['email'].'<br>';
        echo 'Site:'.$rows['site'].'<br>';
        echo 'Comments:'.$rows['comments'].'<br>';

    }

} else { //Not logged in
    header("Location: ./fuckoff.php");
    echo 'Wrong username and/or password!';
}

}

srikanth1184

HI !!

If you are allready using sesions in your site. there should not be a problem as you can easy check for the session when somebody trys to access for that dir.

If you are not using sessions see session_register() and other
related session functions in php.net site then

when you login a user create a session using seesion_register() function.
1. The pages that you don't want to show with out loging in should have the seession check on it. if the check fails reditect him to login page.

Hope this must work for you. If not let me know i will try to get you another solution.

com3

allow me to reiderate...cause i don't think i explained it clearly.....

i got the AUTH and all that stuff to work fine... i jsut can't figure out how to set a cookie on someones computer, so that if they try to access anything thats in a password protected subfolder, and they don't have the cookie, it'll prompt em to login ....or, if they don't have an account,to create one.

i'm still a newbie....i'm trying to learn it all from scratch withough taking anyones code....but i can't seem to get past this little hurdle :/

matt_4013

What will probably be the easiest thing to do (what i do 😉) Is to create your session when they log in, and on each page, include an authentication file up the top, so that if they aren't log in, it just redirects them to the login page.

<?php
if(isset($_SESSION['username'])) {

// They are already logged in, so redirect them to the index.php
header("Location: index.php");
// We put the exit in so that just in case it doesn't redirect,
// it's still gonna stop processing.
exit; 

} else {

if(isset($_POST['submit'])) {

	// They have submitted the form, so do your validation (simplified for demo purposes)
	$sql  = "SELECT id, username FROM users ";
	$sql .= "WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'";

	// Include the database connect from BELOW your web root
	include '../inc/dbconnect.inc.php'; 
	$result = mysql_query($sql, $db) or die("Could not perform query! MySQL said: ".mysql_error());

	if(mysql_num_rows($result) > 0) {

		// Get your data into an associative array
		$user_data = mysql_fetch_assoc($result);

		// Start your session
		session_start();

		/* Set your session data. This loops through all of the keys in your data
		array, and sets them to a corresponding session variable. 
		eg. $user_data['id'] = $_SESSION['id'];
		This just makes it easier to code, because you should only be getting the 
		data you need from the query anyway ;)
		*/

		foreach($user_data as $k=>$v) {

			$_SESSION[$k] = $v;
		}

		// The user has been validated, and session data applied,
		// so redirect them to the index

		header("Location: index.php");
		exit;
	} else {

		// Ack, wrong user or password!
		echo "Invalid Username/Password";
	}
}

echo "<form method=\"post\" action=\"".$_SERVER['PHP_SELF']."\">";
echo "<br /><input type=\"text\" name=\"username\" />";
echo "<br /><input type=\"password\" name=\"password\" />";
echo "<br /><input type=\"submit\" name=\"submit\" value=\"Login\" />";
}
?>

And now, the included file (auth.inc.php)

<?php

session_start();

if(!isset($_SESSION['username'])) {

	header("Location: /login.php");
	exit;
}

?>

That was quite easy, wasn't it? And then in the top of all your files, you just:

include_once("/../inc/auth.inc.php");

Hope that helps 🙂