restricting access using cookies

cass27

Hi,

I have been trying to learn how to create page restriction using cookies in php and mysql from php mysql and apache sams all in one. but I've hit a problem.
I have created a page called loginform.html Which is basically an html form which points to a page called userlogin.php
I set the cookies on it thus:

setcookie("auth", "1", 0 , "/", "yourdomain.com", 0);

After creating a user with password in and username in my database table. I gave it a try. It worked. After putting in username and password and clicking submit, it took me to a page I had created using this script in userlogin.php

$display_block = "
<p> ".$f_name." ".$l_name." is authorized! </p>
<p>Authorized users' Menu:</p>
<ul>
<li><a href=\"secretpage.php\">Secret Page</a></li>
</ul>";
} else{
//redirect back to login form if not authorized
header ("Location: loginform.html");
exit;
}

I now had to create the secret page. I have now spent three hours trying to make the text in the book work. I am now beginning to think there is a typo in the book. Can someone have a look to see whether this seems right for the secret page script:

<?php
if($_COOKIE["auth"] == "1" ){
$display_block = "
<p>You are an authorized user</p>";
} else {
//redirect to log in page
header("Location: loginform.html");
exit;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Secret Page</title>
</head>

thanks for your time

cass27

laserlight

Your book presents an authentication scheme that is critically flawed. If I know what your code does, I can crack into your system merely by forging the cookie.

A more secure solution (though vulnerable to man-in-the-middle attacks if SSL/TLS is not used) is to use sessions, possibly with cookies. In such a case, I actually need to guess the session id in order to authenticate, or guess the username/password combination.

cass27

thank you lazorlight for your opinion but I need to take things one at a time. I need to find out why this script is taking me in a loop.

I will learn sessions next.

At this stage can you see why this script may not be working. What happens is when I click on "secret page" after putting in my password and username on the authorization page it takes me back to the log in page. This does not make sense to me.

cass27😕

laserlight

thank you lazorlight for your opinion but I need to take things one at a time. I need to find out why this script is taking me in a loop.

That's true. I suggest that you post all the code in [php][/php] tags.

cass27

This is the userlogin.php:

<?php

if ((!isset($POST["username"])) ||(!isset($POST["password"]))) {
header("Location:loginform.html");
exit;
}
$mysqli= new mysqli ("localhost", "localData", "localData", "localData");
//create and issue the query
$sql = "SELECT f_name, l_name FROM auth_users WHERE
username = '".$POST["username"]."' AND
password = PASSWORD('".$POST["password"]."')";
$res = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

//get the number of rows in the result set; should be 1 if a match
if(mysqli_num_rows($res) == 1) {

//if authorized, get the values of f_name and l_name
while($info = mysqli_fetch_array($res)){
$f_name = stripslashes($info['f_name']);
$l_name = stripslashes($info['l_name']);
}
//set authorization cookie
setcookie("auth", "1", 0, "/", "yourdomain.com", 0);

//create display string
$display_block = "
<p> ".$f_name." ".$l_name." is authorized! </p>
<p>Authorized users' Menu:</p>
<ul>
<li><a href=\"secretpage.php\">Secret Page</a></li>
</ul>";
} else{
//redirect back to login form if not authorized
header ("Location: loginform.html");
exit;
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>User Login</title>
</head>

This is the loginform.html:

<body>
<h1>Log in form</h1>
<form method="post" action="userlogin.php">
<p><strong>username</strong>
<input type="text" name="username"/></p>
<p><strong>Password</strong>
<input type="password" name="password"/></p>
<p><input type="submit" name="submit" value="login" /></p>
</form>
</body>
</html>

And this is the secretpage.php:

</body>
</html>

cass27

JVassie

As laserlight said, please use the

tags so we can easily read your code. It is awfully hard to help you otherwise.

cass27

Sorry i didnt realise what lasorlight meant. I have put the tags around the php areas. (it also includes html).

This is the userlogin.php:

 
<?php

if ((!isset($_POST["username"])) ||(!isset($_POST["password"]))) {
header("Location:loginform.html");
exit;
}
$mysqli= new mysqli ("localhost", "localData", "localData", "localData");
//create and issue the query
$sql = "SELECT f_name, l_name FROM auth_users WHERE
username = '".$_POST["username"]."' AND
password = PASSWORD('".$_POST["password"]."')";
$res = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

//get the number of rows in the result set; should be 1 if a match
if(mysqli_num_rows($res) == 1) {

//if authorized, get the values of f_name and l_name
while($info = mysqli_fetch_array($res)){
$f_name = stripslashes($info['f_name']);
$l_name = stripslashes($info['l_name']);
}
//set authorization cookie
setcookie("auth", "1", 0, "/", "yourdomain.com", 0);

//create display string
$display_block = "
<p> ".$f_name." ".$l_name." is authorized! </p>
<p>Authorized users' Menu:</p>
<ul>
<li><a href=\"secretpage.php\">Secret Page</a></li>
</ul>";
} else{
//redirect back to login form if not authorized
header ("Location: loginform.html");
exit;
}
?>

<body>

 
<?php echo "$display_block"; ?>

</body>
</html>

This is the loginform.html:

And this is the secretpage.php:

 
<?php
if($_COOKIE["auth"] == "1" ){
$display_block = "
<p>You are an authorized user</p>";
} else {
//redirect to log in page
header("Location: loginform.html");
exit;
}
?>

<body>

<?php 
echo "$display_block";
?>

</body>
</html>

As i say It recognizes the member can be authorized. But when I click "secretpage" in the browser it takes me back to the log in page instead of the secret page.

thanks for your time

cass27

Do i take it then as far as anyone can see, there is nothing wrong with the code?

cass27:eek:

laserlight

while($info = mysqli_fetch_array($res)){
$f_name = stripslashes($info['f_name']);
$l_name = stripslashes($info['l_name']);
}

should be:

$info = mysqli_fetch_array($res);
$f_name = $info['f_name'];
$l_name = $info['l_name'];

Then later when you want to print them, use [man]htmlspecialchars/man.

Also, note that the URL of a location header should be an absolute URL, but I doubt that that is causing your problem.

cass27

thanks lazorlight, this did the trick nicely (though i dont understand why the while statement was preventing the secretpage from appearing).

I am now, like you suggested earlier going to look into creating an authentication script using sessions. If you know of a good tutorial Id appreciate it.

Thanks again for your help