login security

Nairb

I have a login script so when the user logs in it redirects them to a certian page like index.php but you can also go to the page if you just type in the url. How do you make index.php secure so you can only go to it when logged in?

LordShryku

What are you doing once they login? Setting a session? A cookie? Should just be able to do a check for the appropriate variable, if it exists, show them the page, if not, give them an error.

Nairb

here is the code i'm using

login.html:

<form name="signin" action="login.php" method="post" onsubmit="return go()">

Username: <input type="text" name="username" class="form"><br>
Password: <input type="password" name="password" class="form"><br>
<input type="submit" name="signin" value="login">

</form>

login.php:

<?php 
if($username == "brianleiter" && $password == "pass") { 
header ("Location: index.php"); 
}elseif ($username == "friendshipchurch" && $password == "pass"){ 
header ("location: index.php"); 
}elseif ($username == "username" && $password == "password") { 
header ("location: index.php"); 
}else{ 
header ("location: error.html"); 
} 
?>

LordShryku

Well, you're not doing anything to ensure someone logs in. Essentially, there's no point to logging in. You should look into using sessions.

rengy

use a session start everytime the user login, then check the session of on the page you want the user to go to after they login.

Nairb

how would I apply these sessions to the code?

rengy

first you use

session_register('user_id');

after you check the user is login successfully. eg:checkuser.php. then you just need to use

 header("welcome.php");

to lead them to the page

then for the welcome page ,you can use this

session_start();
if(!isset($_SESSION['user_id'])) 
{ 
  // error message
   exit; 
}

else echo "welcome!";

i think this should works, because i works fine with it.
good luck!

Nairb

Thanks for all the help, the only problem is that I get a blank page when logining in.

login.php

<?php 

session_register('user_id');

if($username == "brianleiter" && $password == "pass") { 
header ("Location: index.php"); 
}elseif ($username == "friendshipchurch" && $password == "pass"){ 
header ("location: friendshipchurch.php"); 
}elseif ($username == "username" && $password == "password") { 
header ("location: members.php"); 
}else{ 
header ("location: error.html"); 
} 

?>

index.php

<?php
session_start(); 
if(!isset($_SESSION['user_id']))  

{  

  // error message 
   exit;  

} 

else echo "welcome!";
?>

<html>
<head>

<title></title>
</head>

<body>

THE HTML

</body>
</html>

rengy

hmm mayb u can try this out:
LOGIN.php

if($username == "brianleiter" && $password == "pass") {
              session_register('username');
              header ("Location: index.php");   

                                                                                                 }

use if(!isset($_SESSION['username'])) for the INDEX.php

Nairb

yep it seems to work now, only one problem, I can still go the index.php http://www.brianleiter.com/index.php with out even loging in.

I want it so only the user loging in can go to index.php

squimmy

you can allways use a cookie. although cookies generally arent as good as sessions its still a possiblity.
to use cookies just put something like this on the login page

if($username == "brianleiter" && $password == "pass") { 
 setcookie("brianleiter","yes");             

 header ("Location: index.php");

on the index.php page you could put something like:

if (!isset($_COOKIE['brianleiter'])){
//display error page
}else{
//display the correct login page
}

That should work as i have tested it and it worked. Hope it helps

Roger_Ramjet

Use the attached scripts along with this text to do it all http://www.sitepoint.com/print/users-php-sessions-mysql. It is from Kevin Yank at Sitepoint.com.

I have customised it for my own needs, basically I don't want the sign-up. I also store several other session variables after a successfull login. Read his text to see where to do that.

I also include the following in my index.php for a logout button, users like to see a logout.

<?
//LOG OUT button clicked	
	if (isset($_POST['log_out'])) {  

  		$_SESSION = array();
  		session_destroy;
  		echo '<script language="javascript">window.location = "http:// your logout url here "</script>';
  	}

?>

... html etc

<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
					<input type="submit" name="log_out" value="log out" />
					</form>

This is as good as anything else I have seen and better than most. The accesscontrol.php should be included in every page you want to restrict access to, users can then bookmark any protected page and will be prompted for a login whenever they use it.

Nairb

Thank you very much Roger Ramjet, that is exactly what I'm looking for. It fixed the problem with securing the php file but when I login it won't allow me into the php file.

It seems like its not accepting the usernames and passwords. I'am I suppose to store the passwords in another file insted of login.php?

commandonz

The username and passwords are stored in the mySql database.

Roger_Ramjet

Originally posted by Nairb
Thank you very much Roger Ramjet, that is exactly what I'm looking for. It fixed the problem with securing the php file but when I login it won't allow me into the php file.

It seems like its not accepting the usernames and passwords. I'am I suppose to store the passwords in another file insted of login.php?

As commandoz says, this login script uses a mysql database, please read the text at the link I included for a full explanation. If you just want a single login then use the following instead:

<?php 
 session_start(); 

 if ($_POST['username'] == 'kevin' and 
     $_POST['password'] == 'secret') 
   $_SESSION['authorized'] = true; 
?> 

<?php if (!$_SESSION['authorized']): ?> 
 <!-- Display HTML Form prompting user to log in --> 

<?php else: ?> 
 <!-- Super-secret HTML content goes here --> 
<?php endif; ?>

This one is also by Kevin Yank. It stores them in the page ('kevin' & 'secret'). You will have to code the login form where indicated. Text explanation here: http://www.sitepoint.com/print/write-secure-scripts-php-4-2.

The whole point about both solutions is that they avoid cookies and other insecure, and highly hackable login solutions. PHP may be very flexible and very fast, but it is notoriously insecure. That is why the default for new releases is register_globals OFF.

Nairb

I think I have everything secure now. How are you suppose to store the passwords in mysql database? I'm totally lost. Why not just in the php file?

commandonz

By storing passwords in mySql you don't need to change the code when you add a new user. This is more important in other languages, because PHPs interpreted. Also, if users are in a database many applications can use it and they only have to be maintained in one place.

You might benefit from some kind of a programming/design course, like a book or maybe a free online course? Something that teaches principles of design/architecture. Don't take offense, we all started out somewhere. Otherwise people here seem quite friendly and helpful, you'll learn off them 🙂