Confusing login problem....

Anon

Hi... im trying to get my brain round a relitively secure members area for my site. I want the passwo4d to be checked against the vales in a mysql database. I need it so through all of the pages in the members area it somehow validates the user is genuine, perhaps by checking that $username and $password are valid by checking it against the database on every page. What is the best way of doing this? How can i make it so the variables are permanently carried onto each page, global variables?? Im totally unsure so any help with ideas or coding would be great.

Thanx

Jonathan

Anon

There is no confusion at all..

you can do it by several ways and the best is to use cookie. Set a cookie at the time of login and then include a php file on the top of your everypage to check for the cookie and if that cookie is not found you can redirect user to the loging page ..
for example..
after checking the valid username through database you can set ..

setcookie("user_cookie",$username,"","/");

and then include a small php file on to the top of your every page

<?php
if ($user_cookie=='')
{
header("Location: login.php");
}
?>

hope it will help

Enjoy
Tabish

Anon

Or you use the sessions functions supplied with PHP to keep track of the sessions, and link each session to a username/password when they login.

Anon

How can i do a basic session PHP Script? Ive looked in the articles section and it all seems too confusing! Any help?

Anon

well i havent done much with the sessions stuff in PHP4 (which is all built in), i actually made my own sessions system in php3..

you just need to setup a database table called sessions that contains user_id, session_id, time. Then when someone logs in, you assign them a session id and input into the sessions table the userid, session you created, and the time they logged in.

Then you pass the session variable between each page (eg. products.php?sid=$session_id). Then at the top of each page you just lookup the session and make sure its in the session table you created, then you know who is logged in. You can even put a session timeout limit in there. When you are checking the session on each page, just make sure the time was less than X mins/hours ago. Then just make sure you put some sort of sessions cleanup thing in your logoff scripts.

There should be plenty more information on this site to figure it all out (afterall, thats how i found out).

Anon

like this....???

if (!$username || !$password)
{
header("Location: login_form.php?comments=ERROR:%20No%20Username%20or%20Password%20Entered!");
}

$username=strtolower($username);
$password=strtolower($password);
$sql="SELECT FROM users WHERE username='$username' AND password='$password'";
$result=db_query($sql);
if (!$result || db_numrows($result) < 1){
header("Location: login_form.php?comments=ERROR:%20User%20not%20found%20or%20password%20incorrect');
} else {
if (!$result || db_numrows($result) > 1){
setcookie("user_cookie",$username,"","/");
header("Location: http://www.**.com/index.php");
}
?>

Anon

The script above doent work any1 know y??
it says:

Parse error: parse error in /usr/local/psa/home/vhosts/******.com/httpdocs/login/index.php on line 25

Anon

which one is your line 25 ??

Anon

the setcookie line