Login Scripting and Redirecting

smart_monkey

I have a script which i am testing which i want to log in accounts. Im not worrying about that now. Im trying to make the code redirect if the password and username match up. Ive looked for many ways to do this but none work. can anyone help me???

SCRIPT:

//Retrieves the username and password from previous form
$user = $POST["Username"];
$pass = $POST["Password"];

//Checks if "Username" matches the name provided
if ($user==simon)
{
//If username matches, checks "Password" with the password provided
if ($pass==markup)
{
// HERE IS THE PROBLEM I CANT REDIRECT THE SCRIPT!!!
// I TRIED HEADER BUT IT DOESNT WORK AND I TRIED ANOTHER
// POST IF YOU HAVE AN IDEA TO FIX THIS
}
else
{
// Echos if password is incorrect
echo "Incorrect Username or Password Combination";
}
}
//Checks if "Username" matches the name provided
elseif ($user==slickflick)
{
//If username matches, checks "Password" with the password provided
if ($pass==lemon)
{
// A different attempt at making redirect
{$link = "http://localhost/login/home.php";}
}
else
{
// Echos if password is incorrect
echo "Incorrect Username or Password Combination";
}
}
else
{
// If username supplied doesnt match, it echos below
echo "Incorrect Username or Password Combination";
}

painfull

Hi Monkey,

I think I can help you. Just last week I had the same question, and with the help of a couple of people here, I now have a Login page which verifies name and password exist in my database, and redirects to susequent pages - even according to a status attribute which I've attached to each user... ie: Admins go to admin pages, Users go to user pages and Banned/Inactive users go to an inactive account page.

It also checks cookies, for refresh and reload without losing login... and uses sessions to keep users logged in over multiple pages. Both of which are destroyed by the 'logout' page, which I can show you also, if needed.

It works a treat, but uses an SQL Database for the user data.

You may not have a database, but I'm sure the redirect code will still interest you.
It's the Switch/Case function right at the end.

Thread where I got good help:
http://www.phpbuilder.com/board/showthread.php?t=10353571

Cheers.

I have used a single "Failed.php" page for all failed logins, which just says "Failed Login - Retry". Whether the case be: name not in DB and/or password mismatch. Simply because I don't want people to be able to start guessing what names are in the DB by trying a few and noting which ones only give a "failed password" message. But for debugging, initially it helps to have seperate header redirects, to know where your code is taking you.

It's quite long now that I have all my working features in it, but even so... here's my working code. Probably bloated and "over-done", but it works. And for only my 2nd week of writing PHP, I think it's pretty damn good 😃 :

<?php 
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past

// Connects to your Database 
mysql_connect("localhost", "LOGIN", "PASSWORD") or die(mysql_error()); 
mysql_select_db("MY_DB") or die(mysql_error()); 

session_start();

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{ 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )) 
{
if ($pass != $info['password']) 
{
}
else
{
header("Location: main.php");
}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) 
{ //if form has been submitted
// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass'])
{
header("Location: failed.php");
exit;
}

// checks it against the database

if (!get_magic_quotes_gpc())
{
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0)
{
header("Location: failed.php");
exit;
}
else
{
while($info = mysql_fetch_array( $check ))
{
$_STATUS = $info['status'];

$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password'])
{
header("Location: failed.php");
exit;
}
switch($_STATUS){
    case "admin":
        $_POST['username'] = stripslashes($_POST['username']);
        $hour = time() + 3600;
        setcookie(ID_my_site, $_POST['username'], $hour);
        setcookie(Key_my_site, $_POST['pass'], $hour);
		$_SESSION['status'] = admin;
        header("Location: admin.php");
        break;

case "active":
    $_POST['username'] = stripslashes($_POST['username']);
    $hour = time() + 3600;
    setcookie(ID_my_site, $_POST['username'], $hour);
    setcookie(Key_my_site, $_POST['pass'], $hour);
    $_SESSION['status'] = active;
    header("Location: main.php");
    break;

case "inactive":
    header("Location: inactive.php");
    $_SESSION['status'] = inactive;
    break;

default:
    header("Location: failed.php");
} 




}
}
}


?>

smart_monkey

The thing is i cant get headers to work the way the code is set out.

painfull

Can't get headers to work in your code ? or from the way mine is set out?

Did you try putting exit; after your headers to make sure you don't execute any code after the header?

Check each of my headers, they all have an exit;

header("Location: failed.php");

exit;

smart_monkey

I will test that now....

smart_monkey

Nope

Warning: Cannot modify header information - headers already sent by (output started at G:\Back-Up\Laptop Back-Up (5.4.08)\My Documents\NEW\xampp\xampp\htdocs\login\login.php:7) in G:\Back-Up\Laptop Back-Up (5.4.08)\My Documents\NEW\xampp\xampp\htdocs\login\login.php on line 16

Here is the paragraph with line 16... i put the correct username and password through (username "simon" and password "markup"). i will also try with a incorrect username and password.

12 if ($user==simon)
13 {
14 if ($pass==markup)
15 {
16 header("Location: home.php");
17 exit;
18 }
19 else
20 {
21 echo "Incorrect Username or Password Combination";
22 }
23 }

smart_monkey

Trying the other username and password (username "slickflick" and password "lemon") still says the same thing except it says it on the line 28. Is there another way to redirect the browser inbetween a "if elseif else" statement?

painfull

Have you got ANY html tags or whitespace (any output, including blank lines) before the:

<?php

CODE:

???

The code I posted is BEFORE all html. PHP can't redirect the page once html is output.

The end of my php code:

Snippet:

<?php
----------------
    case "inactive":
        header("Location: inactive.php");
        $_SESSION['status'] = inactive;
        break;

default:
    header("Location: failed.php");
} 
}
}
}

?>

// All PHP is above this line. ALL HTML below.

<html>

<head>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>AllStars - Login</title>
----------------

painfull

This is my index.php file. Which is designed purely to pick up from the url - destroy any cookies using php and then present a login button using a little html. I could put the html inside the php using echo quotes, but it is not necessary in this case, as the html is the end of my file anyway, and does not require php to process the redirect as it is just a standard href link.

<?php 
$past = time() - 100; 
//this makes the time in the past to destroy the cookie 
setcookie("ID_my_site", "gone", $past); 
setcookie("Key_my_site", "gone", $past); 
?>

<html>

<head>
<meta http-equiv="Content-Language" content="en-au">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>AllStars - Welcome</title>
</head>

<body>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center"><font face="Tahoma" size="6">
<a href="login.php"><img border="0" src="star_logo.jpg" width="284" height="292"></a></font></p>
<p align="center"><font face="Tahoma" size="6">Click to Login</font></p>
</body>

</html>

Pretty much all php files should be layed out like this. Except maybe special purpose, or of course those which don't need to redirect. I can't give you examples, I've only been doing this for 2 weeks 😃 But this much I know 😉

Any html you need to output within your php code, can be done with echo and quotes:

echo "Admin Page";
echo "Admin Content";
echo "<a href=register.php>Register a new User";
echo "<a href=edit_users.php>Edit a User";
echo "<a href=logout.php>Logout</a>";
echo "Session = ".$_SESSION['status'];

Like so. The html is all "wrapped" in echo quotes, to prevent it from breaking the <?php ?> flow. You can even do tables this way 😃

echo "<table border='1' align='center'>";
echo "<tr><th width='60' align='center'>Login</th>";
echo "<th width='120' align='center'>Username</th>";
echo "<th width='70' align='center'>Status</th></tr>";
while($users = mysql_fetch_array( $check )){
$username = $users['username'];

echo "<tr><td align='center'>";
echo "<a href='$username'>$username</a>";
echo "</td><td>";
echo $users['name_f'] . " " . $users['name_l'];
echo "</td><td>";
echo $users['status'];
echo "</td><td width='50' align='center'>";
echo "<a href='/edit_users.php?edit=$username';>Edit</a>";
echo "</td></tr>";
}
echo "</table>";

Neat huh :p

smart_monkey

Ok i will try that now and tell you if anything new happens. If this works, cheers mate.

smart_monkey

It works!!!! YAY... cheers painfull.

Here is the final code incase anyone wanted to know:

<?php
$user = $_POST["Username"];
$pass = $_POST["Password"];


if ($user==simon)
	{
		if ($pass==markup)
			{
			header("Location: home.php"); 
			break; 
			}
		else
			{
			echo "Incorrect Username or Password Combination";
			}
	}
elseif ($user==slickflick)
	{
		if ($pass==lemon)
			{
			header("Location: home.php"); 
			break; 
			}
	 	else
			{
			echo "Incorrect Username or Password Combination";
			}
	}
else
	{
	echo "Incorrect Username or Password Combination";
	}

?>
<html>
<head>
<title>Log In</title>
</head>
<body>
</body>
</html>

laserlight

That is not very good, actually. One problem is that you are redirecting users to home.php (and forgotting to exit or die after sending the location header), so if home.php is not itself protected, users can bypass the login.

smart_monkey

Its a "if else" statement. If the it goes to the header there is no more code to execute.

Agreed tho that adding another user would be hard work. I am also adding a cookie when the password is checked and forwarded to home.php.

This cookie checks that you didnt skip the login page as the cookie is set on login page and deletes itself after one hour. If you logout correctly on the home.php then there should be no problems.

Thankyou for your help, i will most likely consider your code as it is a lot easier to add another user. Hopefully this thread isnt deleted as i might need to refer back to this a lot.

laserlight

Its a "if else" statement. If the it goes to the header there is no more code to execute.

Indeed, but if I know about home.php, I can just go there directly, without logging in.

Agreed tho that adding another user would be hard work.

Note my use of an array. With a database, you would just search the database.

I am also adding a cookie when the password is checked and forwarded to home.php.

Ah, then it is okay, if home.php checks for the cookie and and re-authenticates. On the other hand, you have a new problem: you have to store the login credentials on the cookie, which is a Bad Thing as it exposes the username/password to theft. A better solution is to use sessions. The session cookie would then store the session id, not the login credentials.

Thankyou for your help, i will most likely consider your code as it is a lot easier to add another user. Hopefully this thread isnt deleted as i might need to refer back to this a lot.

No problem, we generally do not delete legitimate and unique threads.

painfull

But Laserlight is right...

laserlight wrote:
[*]Adding a check for a new user is tedious.

You will have to add users by expanding this page either the way you have done it (if you can secure 'home.php') or the way Laserlight has suggested by using an array within PHP that defines all known users. Either of which is fine if you only ever need 2 users 😃

Personally, I went the whole hog :s and have used an SQL DB.

You could do the same, it's not hard to setup MySQL, and I have JUST conquered the code to check all things necessary to protect logins and subsequent pages.

Adding users is dead easy now with a page I've made to do exactly that, which is only accessible by an existing Admin 😉 So the User DB is now manageable online, I no longer need direct access to the DB to add, remove users or update their details.

Any attempt to directly access (via URL) the "Add User" page by a non-registered user or non-admin spits out - "You are not Admin, or not Registered!"

Any attempt to directly access (via URL) the "Admin" page or "Add User" page by a registered user spits out - "You are not Admin!"

I feel that you could also use this system.

Let me know if you would like to have a look at it, I'll give you a demo of the working pages.