Web Design Forums

jesusfreak101 · 05-05-2008, 13:45

ok, so ive created a php login, now what i want to do is that whenever they access a members page, that a script would check to see if they are logged in then it can let them see the page. If not then it would ask them to join/login.....any one know of a way to do this, or know of any tutorials? im sorry but i can't write my own scripts yet

im learning so anything would be useful. thnx in advanced

Hunch · 05-05-2008, 14:09

You can do it with PHP sessions:

PHP: Sessions - Manual

Although personally I've always written my own session handling functions because I'm not yet happy with the security of the inbuilt PHP option.

mocremilo · 05-05-2008, 14:12

This is a good one:

Managing Users with PHP Sessions and MySQL [PHP & MySQL Tutorials]

RaelRode · 05-05-2008, 14:12

When the user logs in, set a cookie using the setcookie(); function. Then in the config.php file (or similar) check to see if the cookie is set...

PHP Code:


		
			
<?php
if(isset($_COOKIE['cookie_name'];)
{
$loggedin = true;
}
else
{
$loggedin = false;
}
?>

Just a quick example, not taking security into account. In which case you should encrypt the data you store into the cookie.

For me personally, I have two cookies set. I check to see if the username cookie is set, if so grab that usernames data from the database. Then if the password from the database equals the password in the other cookie...then they can be logged in. More secure than just having their username or just password.

jesusfreak101 · 05-05-2008, 15:28

sorry to be stubborn but heres a part of the code in my login.php;
;

PHP Code:


		
			
$_POST['user'] = stripslashes($_POST['user']);

$_SESSION['username'] = $_POST['user'];

$_SESSION['password'] = $md5pass;

are those too sessions valid? like do they work? i looked up those links you guys gave me and read some on sessions. Im still swallowing a bit of what i've read.

RaelRode · 05-05-2008, 15:41

I would do it this way...

PHP Code:


		
			
$user = stripslashes($_POST['user']); 
$pass = stripslashes($_POST['user']); 
$pass = md5($pass);
$_SESSION['username'] = $user; 
$_SESSION['password'] = $pass;

jesusfreak101 · 05-05-2008, 16:26

so how would i call the sessions in every page i want authenticated?

or should i create a file and place the sessions in there???

EDIT: I put the following in "checkLogin.php"

PHP Code:


		
			
<?

/**
 */
function confirmUser($username, $password){
   global $conn;
   /* Add slashes if necessary (for query) */
   if(!get_magic_quotes_gpc()) {
    $username = addslashes($username);
   }

   /* Verify that user is in database */
   $q = "select password from users where username = '$username'";
   $result = mysql_query($q,$conn);
   if(!$result || (mysql_numrows($result) < 1)){
      return 1; //Indicates username failure
   }

   /* Retrieve password from result, strip slashes */
   $dbarray = mysql_fetch_array($result);
   $dbarray['password']  = stripslashes($dbarray['password']);
   $password = stripslashes($password);

   /* Validate that password is correct */
   if($password == $dbarray['password']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}

function checkLogin(){
   /* Check if user has been remembered */
   if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
      $_SESSION['username'] = $_COOKIE['cookname'];
      $_SESSION['password'] = $_COOKIE['cookpass'];
   }

   /* Username and password have been set */
   if(isset($_SESSION['username']) && isset($_SESSION['password'])){
      /* Confirm that username and password are valid */
      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
         /* Variables are incorrect, user not logged in */
         unset($_SESSION['username']);
         unset($_SESSION['password']);
         return false;
      }
      return true;
   }
   /* User not logged in */
   else{
      return false;
   }
}
?>

something tells me this isnt right

RaelRode · 05-05-2008, 17:16

Ok that isn't right because you've just got 2 functions with no implementation.

You'll need to check for cookies (which you have done) and then set a session from the cookies. Then when you check to see if they are logged in check for the session variables.

Personally, I would only use checkLogin once the user logs in, to set the variables. Then just use a function to check for the sessions the rest of the way through the website.

It's a bit late to be coding a few functions for you, but if you need any further help just post.

jesusfreak101 · 05-05-2008, 17:23

Quote:

Originally Posted by RaelRode

Ok that isn't right because you've just got 2 functions with no implementation.

You'll need to check for cookies (which you have done) and then set a session from the cookies. Then when you check to see if they are logged in check for the session variables.

Personally, I would only use checkLogin once the user logs in, to set the variables. Then just use a function to check for the sessions the rest of the way through the website.

It's a bit late to be coding a few functions for you, but if you need any further help just post.

well u could post a new function using the present cookies, can you?

Agricola · 06-05-2008, 07:39

Why are you making things more complicated than needed ?

$_SESSION is all you need.

When you check the persons login and password to your database and it matches, simply flag a session variable as having the person logged in.

$_SESSION['user_logged_in']="ooooYESBabyImIn";

then have a check built into the top of every page that is only availalbe to people who have logged in, obviously you only do this with an include.

Code:

if ($_SESSION['user_logged_in']=="ooooYESBabyImIn"){
Let the person view stuff
}else{
Tell them they have to log in and give them a log in form
}

Hunch · 06-05-2008, 11:46

If you want a "secure" system you need to issue a new ID with every page request, and then check on the server if the browser responds with:

a) The most recently issued ID (it will change with every new page request).

and if you really want to nail it:

b) The same IP address the browser responded with during it's last page request

and

c) The correct referrer

I use my own custom written library, but you could implement the above using PHP sessions.

It's almost impossible to create a 100% secure system due to the rather transparent nature of HTTP. On a recent job, I was handed a USB security key by a client which physically had to be plugged into the machine in order to establish a session with the web server. It's about the most secure system money can buy. I broke it and emulated it in software, in less than a day.

mathias · 06-05-2008, 12:39

I see you have the stigmata, I cannot help you.

05-05-2008, 13:45	#1 (permalink)
jesusfreak101 ie must die Join Date: Jun 2007 Location: Washington Posts: 337	php login ok, so ive created a php login, now what i want to do is that whenever they access a members page, that a script would check to see if they are logged in then it can let them see the page. If not then it would ask them to join/login.....any one know of a way to do this, or know of any tutorials? im sorry but i can't write my own scripts yet im learning so anything would be useful. thnx in advanced

05-05-2008, 14:12	#4 (permalink)
RaelRode Designers are strange :) Join Date: Jan 2007 Location: Shrewsbury, UK Posts: 1,735	When the user logs in, set a cookie using the setcookie(); function. Then in the config.php file (or similar) check to see if the cookie is set... PHP Code: `<?php if(isset($_COOKIE['cookie_name'];) { $loggedin = true; } else { $loggedin = false; } ?>` Just a quick example, not taking security into account. In which case you should encrypt the data you store into the cookie. For me personally, I have two cookies set. I check to see if the username cookie is set, if so grab that usernames data from the database. Then if the password from the database equals the password in the other cookie...then they can be logged in. More secure than just having their username or just password. __________________ If it works, it's valid.

05-05-2008, 15:28	#5 (permalink)
jesusfreak101 ie must die Join Date: Jun 2007 Location: Washington Posts: 337	sorry to be stubborn but heres a part of the code in my login.php; ; PHP Code: `$_POST['user'] = stripslashes($_POST['user']); $_SESSION['username'] = $_POST['user']; $_SESSION['password'] = $md5pass;` are those too sessions valid? like do they work? i looked up those links you guys gave me and read some on sessions. Im still swallowing a bit of what i've read.

05-05-2008, 15:41	#6 (permalink)
RaelRode Designers are strange :) Join Date: Jan 2007 Location: Shrewsbury, UK Posts: 1,735	I would do it this way... PHP Code: `$user = stripslashes($_POST['user']); $pass = stripslashes($_POST['user']); $pass = md5($pass); $_SESSION['username'] = $user; $_SESSION['password'] = $pass;` __________________ If it works, it's valid.

05-05-2008, 16:26	#7 (permalink)
jesusfreak101 ie must die Join Date: Jun 2007 Location: Washington Posts: 337	so how would i call the sessions in every page i want authenticated? or should i create a file and place the sessions in there??? EDIT: I put the following in "checkLogin.php" PHP Code: <? /** / function confirmUser($username, $password){ global $conn; / Add slashes if necessary (for query) / if(!get_magic_quotes_gpc()) { $username = addslashes($username); } / Verify that user is in database / $q = "select password from users where username = '$username'"; $result = mysql_query($q,$conn); if(!$result \|\| (mysql_numrows($result) < 1)){ return 1; //Indicates username failure } / Retrieve password from result, strip slashes / $dbarray = mysql_fetch_array($result); $dbarray['password'] = stripslashes($dbarray['password']); $password = stripslashes($password); / Validate that password is correct / if($password == $dbarray['password']){ return 0; //Success! Username and password confirmed } else{ return 2; //Indicates password failure } } function checkLogin(){ / Check if user has been remembered / if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){ $_SESSION['username'] = $_COOKIE['cookname']; $_SESSION['password'] = $_COOKIE['cookpass']; } / Username and password have been set / if(isset($_SESSION['username']) && isset($_SESSION['password'])){ / Confirm that username and password are valid / if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){ / Variables are incorrect, user not logged in / unset($_SESSION['username']); unset($_SESSION['password']); return false; } return true; } / User not logged in / else{ return false; } } ?> something tells me this isnt right Last edited by jesusfreak101 : 05-05-2008 at 16:52.*

05-05-2008, 14:09	#2 (permalink)
Hunch Grumpy old man Join Date: Oct 2007 Location: North Japan Posts: 1,596	You can do it with PHP sessions: PHP: Sessions - Manual Although personally I've always written my own session handling functions because I'm not yet happy with the security of the inbuilt PHP option.

05-05-2008, 14:12	#3 (permalink)
mocremilo Senior Member Join Date: Aug 2007 Location: California Posts: 130	This is a good one: Managing Users with PHP Sessions and MySQL [PHP & MySQL Tutorials]

05-05-2008, 17:16	#8 (permalink)
RaelRode Designers are strange :) Join Date: Jan 2007 Location: Shrewsbury, UK Posts: 1,735	Ok that isn't right because you've just got 2 functions with no implementation. You'll need to check for cookies (which you have done) and then set a session from the cookies. Then when you check to see if they are logged in check for the session variables. Personally, I would only use checkLogin once the user logs in, to set the variables. Then just use a function to check for the sessions the rest of the way through the website. It's a bit late to be coding a few functions for you, but if you need any further help just post. __________________ If it works, it's valid.

06-05-2008, 07:39	#10 (permalink)
Agricola Senior Member Join Date: May 2007 Location: England Posts: 179	Why are you making things more complicated than needed ? $_SESSION is all you need. When you check the persons login and password to your database and it matches, simply flag a session variable as having the person logged in. $_SESSION['user_logged_in']="ooooYESBabyImIn"; then have a check built into the top of every page that is only availalbe to people who have logged in, obviously you only do this with an include. Code: if ($_SESSION['user_logged_in']=="ooooYESBabyImIn"){ Let the person view stuff }else{ Tell them they have to log in and give them a log in form } __________________ Wot Speeling Mishtake?

06-05-2008, 11:46	#11 (permalink)
Hunch Grumpy old man Join Date: Oct 2007 Location: North Japan Posts: 1,596	If you want a "secure" system you need to issue a new ID with every page request, and then check on the server if the browser responds with: a) The most recently issued ID (it will change with every new page request). and if you really want to nail it: b) The same IP address the browser responded with during it's last page request and c) The correct referrer I use my own custom written library, but you could implement the above using PHP sessions. It's almost impossible to create a 100% secure system due to the rather transparent nature of HTTP. On a recent job, I was handed a USB security key by a client which physically had to be plugged into the machine in order to establish a session with the web server. It's about the most secure system money can buy. I broke it and emulated it in software, in less than a day.

06-05-2008, 12:39	#12 (permalink)
mathias Refrigerated User Join Date: Mar 2006 Location: Central US Posts: 163	I see you have the stigmata, I cannot help you.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search