restricting access

chris_davies

hi,
I have been trying different methods of setting a cookie so as to check if someone has logged in or not. I am testing a username and password against a mysql database and I need to check on the other pages to see if a use has logged in and if the user hasn't logged in, restrict any access.

All the example php code I have seen or tried that checks if a user has logged in or not fails to work. could someone help or show me some example code that really works please?

I need this for a college assignment and I am really stuck, any help would be greatly appreciated.

Chris

paulnaj

Hi Chris,

Welcome to the forum.

Best way to get a helpful response is to post up what you have tried and any results ... error messages etc. (have a read of the guidelines 😉 ).

If you haven't even been able to get that far, then post up exactly what you want to do. Try listing out all the steps required and be as clear and unambiguous as possible.

Paul 🙂

chris_davies

Basically I wwant to stop people accessing any pages if they haven't logged in.
I have trying to set a cookie as follows, which I got out af a book..

// set authorisation cookie
setcookie("auth","1",0,"/","",0);
//header("Location: access.php");
}else{ //yourdomain.com

           // exit;
            }

which seems to work, but when I check it by jumping straight to a page without logging in, with the following:

?php if ($_COOKIE['auth'] == "1"){

I get all sorts of errors on the page like this:

Notice: Undefined index: auth in c:\program files\apache group\apache\htdocs\faultpage.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at c:\program files\apache group\apache\htdocs\faultpage.php:2) in c:\program files\apache group\apache\htdocs\faultpage.php on line 6

I realise setting a cookie ot a value of 1 is a little minimalistic, but I'm just trying to get the code to work, I can change the value later.

chris

id10t

Sessions would be easier/better. Some people (lots actually) block cookies for some reason...

bradgrafelman

On my server, I have the same setup, and I use a session to keep the auth'd data.

Also, maybe use the error surpressor "@" on your $_COOKIE[] statement, and use a "===" operator to make sure the value is exactly what we want?

Also... be forwarned that cookies can be faked, disabled, erroneously handled by the user/browser/spyware software, etc. Sessions seem like the way to go to me.

ShawnK

I use the whole session stuff, but NEVER store passwords or secure data in cookies, even if they are hashed via sha1 or md5. What I use to make it secure is create a cookie ID using this:

$rand = mt_rand(1000000000,9999999999);
$now = time();

$cookie_id = md5($_SESSION['uid'].$now.$rand);

Then insert $rand, and $now into your mysql database in a table called cookies. And to check the cookie just take the user's id number and extract the info from the database and then hash it and see if it's ===.

Lemonboi

I've succesfully set up a login/logout on my website and have used sessions for the reason of not wanting to put them into cookies for security issues.

I can give you an outline of how I went about it or I can show you the script if you want.
1) I start by starting a session
2)with conditional statement, convert username and password from POST or SESSION
3) (optional) check to make sure that either username and password only contain alphnumeric characters with regular expression.
4) start and register session variables
5) connect to database
6) query for user/pass match
7) retrieve number of rows resulted
8) use conditional statement to deny access to those where no rows are retrieved
9) free result and close connection

I found a script by doing a google search and I went through a couple, this was the easiet and most straight forward I found. I've placed this script in a file that I then include into all the required protected pages.

chris_davies

HI , I would dearly like to see this code, I have given myself such a headache trying to get this to work and I am running out of assignment time. Any sample code would be greatfully received (along with some comments so I understand whats happening that is).
Thanks in advance.
chris

Lemonboi

<?php
// Login & Session example by sde
// auth.php

// start session
session_start();

// convert username and password from POST or SESSION
if($POST["username"])
{
$username=$POST["username"];
$password=$POST["password"];
}
elseif($SESSION["username"])
{
$username=$SESSION["username"];
$password=$SESSION["password"];
}
My code for security of username/password (sorry, I'm not including that but if you read up on regular expressions you can do it)
{
session_destroy();
echo "Login Unsuccesful <br /><META HTTP-EQUIV=\"refresh\" content=\"2; URL=../hacker.php\">";
exit;
}

// start and register session variables
session_register("username");
session_register("password");

// connect to database
include("connect.php");

$query = "select * from databasetable where username='" . $username . "' and password='" . $password . "'";
// query for a user/pass match
$result = mysql_query($query) or die ("Error in query: $query.".mysql_error());

// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){
session_destroy();
echo "Login unsuccesful</br><META HTTP-EQUIV=\"refresh\" content=\"2; URL=../loginerror.php\">";
exit;
}

mysql_free_result($result);

mysql_close($connection);

chris_davies

HI again,
I get the bit about checking for the username and
password(password) rom the table , what I'd like to know is how to kick someone out if they havent logged in, for example if they jump straight to a page without loggin in. I realise its to do with testing if the session(variable) has been set but I cant seem to figure it out.
Chris

Lemonboi

This is where the ability of php to add in files comes in handy.

In every webpage at the top I code in the following before it goes and executes the page code.

include('authorisation.php');

authorisation.php being the file that contains the above script. Then each page it will run the script to check if the person is logged in or not

Otherwise you could just paste the script onto every page, but that takes up memory.

krs1

Otherwise you could just paste the script onto every page, but that takes up memory.

And if you ever wanted to change the script name or something in it very time consuming.....

Slash78

Originally posted by ShawnK
I use the whole session stuff, but NEVER store passwords or secure data in cookies, even if they are hashed via sha1 or md5. What I use to make it secure is create a cookie ID using this:
$rand = mt_rand(1000000000,9999999999);
$now = time();

$cookie_id = md5($_SESSION['uid'].$now.$rand);
Then insert $rand, and $now into your mysql database in a table called cookies. And to check the cookie just take the user's id number and extract the info from the database and then hash it and see if it's ===. [/B]

What's your cookie table look like in mySQL? Specifically, what's the field length of the $rand variable?