Jump to content

secure login scripts needed

jasonc

By jasonc
in PHP Coding Help

 Share

Recommended Posts

jasonc Advanced Member

jasonc

Posted
Posted
I can not seem to find an idiot proof script for login on my site.

has anyone got a script or know of one that is easy yet secure that i can include in my site easily, i have tried to do this myself but i get error that headers already sent or the login parts show after login in and loads of others.

this is because i am new to this part or web design, never create a login before and need a lot of advice on how to do this correctly yet easily.

thanks in advance for your help

Link to comment
https://forums.phpfreaks.com/topic/10122-secure-login-scripts-needed/
Share on other sites
.josh Advanced Member

.josh

Posted
Posted
Have you even bothered to do a search? There are literally tons of login scripts and login tutorials here and out on the web in general. It's one of the first scripts any book or tutorial site teaches you.

It sounds to me like you don't really want to learn it, that you'd rather have someone wave a magic wand for you and make it happen. Maybe you should make a post in the freelance forum.
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
if there are so many sites out there how come i have not yet done what i am trying to do!!

i have been looking all over the net for about 6 months asking in forum all over as well.

i have not found a script where i can add one line to the top of all of my scripts that is in the form of

include("auth.php");

that checks if they are logged in by checking the cookies on their pc and if they are then it shows the rest of the page but if not logged in then it shows the login box and waits till they either login or sign up.

if you say 'There are literally tons of login scripts and login tutorials here and out on the web in general. It's one of the first scripts any book or tutorial site teaches you.'

please would you be so kind as to provide just one link in this forum so that other can get the answer to this simple question.

hoping that you can help me i await your reply

thanks
.josh Advanced Member

.josh

Posted
Posted
first off, you aren't going to find what you need, contained within 1 line of code. it just doesn't work that way. 2nd, i will be more than happy to point you to just one login script tutorial in this forum, one i just so happened to write myself, not too long ago:

[a href=\"http://www.phpfreaks.com/forums/index.php?s=&showtopic=92613&view=findpost&p=370773\" target=\"_blank\"]http://www.phpfreaks.com/forums/index.php?...ndpost&p=370773[/a]

i simply do not believe that you have searched and searched for 6 months straight looking for a login tutorial and asking on many forums, to no avail. And walking into a php community saying you can't find a login script.. is like saying you typed "porn" in google and couldn't find any porn. You can't actually expect people to believe that.

seriously, there's this search link, and all you have to do is enter "login" as the keyword. I'm not trying to be snide or rude; I'm just trying to tell you simply and honestly as possible that it doesn't hurt to actually search.

i spend all day trying to help people on these forums, because I like to, and also because i learn lots of things myself in the process. I'd say a good 20-50% of the things I have helped people on, I had no idea how to do when I read the question, and I searched and found the answer myself, usually in 5 minutes or less.
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
thank you.

but that script redirects to only one page and that is the only script i have been able to find in my searches so far.

the script i need does not redirect.

they visit a protected page and if they login incorrectly or are not logged in are the login has expired then they have to login before they see the page that they were at where the call originally came from.

jasonc Advanced Member

jasonc

Posted
  • Author
Posted
first of i have heard that this method is not reccomended as some browser and ISP stop this being used so it would not work.

i am losing my mind here how hard can it be!!???

sorry but i really have been looking for ages for any type of script really and i have tried a few i can tell you.

but none do anything like what i need

i do not think i am asking for the impossible, i hope not!!


have i made myself clear what i am after? maybe i am asking in the wrong way, i am new to logins and have no idea what i am doing but know what i need!! ermm.....

all i am after is a way for each page that i want protect to verify that they are logged in first and if so continue showing the page if not show the login page until they are logged in.

this is what i now have....


auth.php

<?
session_start();
header("Cache-control: private");
$name = $_POST['username']; // this part needs to be secure so that when i add the part that checks these
$password = $_POST['password']; // details from the mysql database it is not compromised by mysql injections!
if ($name == "test" && $password == "test")
{
$_SESSION["status"] = "Logged";
$_SESSION['username'] = $name;
$_SESSION['password'] = $password;
exit;
}
else
{
//Otherwise we set session status to "Not logged"
$_SESSION["status"] = "Not logged";
$_SESSION['username'] = Guest;
?>
<form name="form1" method="post" action="">
<table width="200" border=0 align="center" cellpadding=0 cellspacing=0>
<tr bgcolor="#000000">
<td height="40" colspan="2"><div align="center"><strong><font color="#FFCC66" size="2">.:
Login :.</font></strong></div></td>
<tr bgcolor="#FFCC66">
<td width="92" height="30"><div align="right"><font size="3"><strong>Username:</strong></font></div></td>
<td width="83" height="30"><div align="center"> <font size="1">
<input type="text" name="username" size=10>
</font></div></td>
<tr bgcolor="#FFCC66">
<td height="30"><div align="right"><font size="3"><strong>Password:</strong></font></div></td>
<td height="30"><div align="center"> <font size="1">
<input type="password" name="password" size=10>
</font></div></td>
<tr bgcolor="#FFFFFF">
<td height="30"><div align="center"><font size="1"><img src="images/login.gif" width="60" height="57"></font></div></td>
<td height="30"><div align="center"> <font size="1">
<input type="submit" name="submit" value="Log In">
</font></div></td>
</table>
</form>
<?
} // Close tab
?>


some page on my site.

<?
include("auth.php");
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
hello
</body>
</html>


some other page on my site.

<?
include("auth.php");
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
hello again
</body>
</html>


.josh Advanced Member

.josh

Posted
Posted
go back and re-read the tutorial link i provided. the script does exactly that. it shows the initial login form, then directs you to an authorization script. if you are authorized, it sends you off to wherever you get to go when you are logged in. if you are not, it kicks you to loginhelp.php but this can be anywhere you want, including straight back to the login page.

then, on each and every page that you want to verify if they are logged in, you would put this:

[code]
<?php
   session_start();
   if ($userinfo == null) {
      header("Location:loginhelp.php");
      exit;
   }
?>
[/code]

if you want to, you can make this an individual file called auth.php and then you can add

include("auth.php");

at the beginning of all your files instead of the whole block. but this will not be the same as the authorization script that checks to see if they are logged in. It checks to see if there is a session variable, that will only exist if they did log in. otherwise, it kicks them back to loginhelp (or the login screen, whatever you want. i usually use a seperate place called loginhelp.php that lists possible reasons for failure to login, as well as a password resetting form, etc... but you can kick them straight back to the login screen - whatever you want).
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
yes i see, but what is they visit a page called


index.php

or page2.php or someotherpage.php it will only redirect them to one page when logged in not back to the page that called the auth.php script, i can not use the $HTTP_REFERER method to go back to the page that called the script as not all ISP's allow this to be used so they will not come back, or is this $HTTP_REFERER used at the server end?

sorry no sure what i am talking about sometimes.

i can do most anything with php but login and sessions !!!
.josh Advanced Member

.josh

Posted
Posted
i'm not sure i understand what you are trying to accomplish here... are you trying to say that if user goes to blah.php and they must be logged in to view it, but they aren't logged in, to kick them to the login page, and once they are logged in, redirect them to blah.php?
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
yes and the same for all pages on the site that need protecting.

but as i have said i have heard that some internet provider like AOL stop the $HTTP_REFERER from working.
so it can not use this way to send them back.


[!--quoteo(post=375922:date=May 22 2006, 01:37 AM:name=Crayon Violent)--][div class=\'quotetop\']QUOTE(Crayon Violent @ May 22 2006, 01:37 AM) [snapback]375922[/snapback][/div][div class=\'quotemain\'][!--quotec--]
i'm not sure i understand what you are trying to accomplish here... are you trying to say that if user goes to blah.php and they must be logged in to view it, but they aren't logged in, to kick them to the login page, and once they are logged in, redirect them to blah.php?
[/quote]
.josh Advanced Member

.josh

Posted
Posted
well http_referer isn't what you'd use anyways. i only mentioned that cuz i thought you wanted the browser to redirect the page to the previous page the user was at if they tried to access a page without authorization.

make another session variable called like "current_page" or something like and set it to the current page name and include it in the block of code for each page:

[code]
<?php
   session_start();
   $_SESSION['current_page'] = $_SERVER['PHP_SELF'];
   if ($userinfo == null) {
      header("Location:login.php");
      exit;
   }
?>
[/code]

then if the user is not logged in it will kick them to login.php where they will login. login will validate them, and if they exist and all is kosher, header will redirect back to page they were at before.

header ("Location: " . $_SESSION['current_page']);
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
this is what i now have. stuill not working.


auth.php

<?
session_start();
header("Cache-control: private");
$name = $_POST['username']; // this part needs to be secure so that when i add the part that checks these
$password = $_POST['password']; // details from the mysql database it is not compromised by mysql injections!
if ($name == "test" && $password == "test")
{
$_SESSION["status"] = "Logged";
$_SESSION['username'] = $name;
$_SESSION['password'] = $password;
header ("Location: " . $_SESSION['current_page']);
exit;
}
else
{
//Otherwise we set session status to "Not logged"
$_SESSION["status"] = "Not logged";
$_SESSION['username'] = Guest;
?>
<form name="loginbox" method="post" action="">
<table width="200" border=0 align="center" cellpadding=0 cellspacing=0>
<tr bgcolor="#000000">
<td height="40" colspan="2"><div align="center"><strong><font color="#FFCC66" size="2">.:
Login :.</font></strong></div></td>
<tr bgcolor="#FFCC66">
<td width="92" height="30"><div align="right"><font size="3"><strong>Username:</strong></font></div></td>
<td width="83" height="30"><div align="center"> <font size="1">
<input type="text" name="username" size=10>
</font></div></td>
<tr bgcolor="#FFCC66">
<td height="30"><div align="right"><font size="3"><strong>Password:</strong></font></div></td>
<td height="30"><div align="center"> <font size="1">
<input type="password" name="password" size=10>
</font></div></td>
<tr bgcolor="#FFFFFF">
<td height="30"><div align="center"><font size="1"><img src="images/login.gif" width="60" height="57"></font></div></td>
<td height="30"><div align="center"> <font size="1">
<input type="submit" name="submit" value="Log In">
</font></div></td>
</table>
</form>
<?
} // Close tab
?>



somepage.php

<?php
session_start();
$_SESSION['current_page'] = $_SERVER['PHP_SELF'];
if ($_SESSION["status"] == null) {
header("Location:auth.php");
exit;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
hello
</body>
</html>
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
it is taking my back to the auth.php script! when i login

[!--quoteo(post=375930:date=May 22 2006, 02:17 AM:name=Crayon Violent)--][div class=\'quotetop\']QUOTE(Crayon Violent @ May 22 2006, 02:17 AM) [snapback]375930[/snapback][/div][div class=\'quotemain\'][!--quotec--]
so what exactly is not working? is it not logging you in? is it logging in, but not redirecting you back to the page you tried to access? be specific please
[/quote]
.josh Advanced Member

.josh

Posted
Posted
okay in auth.php, change this block of code up a bit (add the red parts):

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]
if ($name == "test" && $password == "test")
{
$_SESSION["status"] = "Logged";
$_SESSION['username'] = $name;
$_SESSION['password'] = $password;
[b][!--coloro:red--][span style=\"color:red\"][!--/coloro--]if ($_SESSION['current_page']) {[!--colorc--][/span][!--/colorc--][/b]
header ("Location: " . $_SESSION['current_page']);
[b][!--coloro:red--][span style=\"color:red\"][!--/coloro--]} else {
header ("Location: welcome.php");
}[!--colorc--][/span][!--/colorc--][/b]
exit;
}
[/quote]
[b]welcome.php[/b] would be the standard page the user would see if they are logging in for real for the first time.

also, in "somepage.php" you need to changed this line:

[b] if ($_SESSION["status"] == null) {[/b]

to

[b] if ($_SESSION["status"] != "Logged") {[/b]

because in your auth.php you set it to "Not Logged" if they fail to login, so all the user would have to do is fail to log in and then go back to the page, and they will be able to access it, because then it wouldn't be null anymore. Either do that, or don't set it to anything if they fail to log in.
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
i now this ......



if the member has not logged in then the login box shows if they have then it is not show









<? // index.php
$pagetitle = "Home Page";
$_SESSION['ref'] = "index.php";
include("header.php");
?>
<table width="527" height="417" border="0">
<tr>
<td width="511" height="358" valign="top">&nbsp;</td>
</tr>
</table>
<?
include("footer.php");
?>








<?php // header.php
session_start();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title><? echo($pagetitle);?></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<table width="527" height="71" border="0">
<tr>
<td height="21" colspan="7"><div align="center">site name</div></td>
</tr>
<tr>
<td height="21"><div align="center">
<? if ($_SESSION["loggedin"] != "loggedin") {
?>
<a href="auth.php">logout
<?
} else {
echo("logout");
}
?>
<? if ($_SESSION["loggedin"] != "loggedin") {
?>
</a>
<?
}
?>
</div></td>
<td><div align="center">members area</div></td>
<td><div align="center"> index2</div></td>
<td><div align="center"> index3</div></td>
<td><div align="center">search</div></td>
<td><div align="center">forum</div></td>
<td><div align="center">signup</div></td>
</tr>
<?
if (!$_SESSION["loggedin"] == "loggedin") {
?>
<tr>
<td height="21" colspan="7">
<div align="center">


<? //login
if(!$_SESSION['loggedin'] != "loggedin") {
//PLEASE DO NOT USE THIS QUERY MAKE UP YOUR OWN AND SANATIZE THE INPUTS
$query = "SELECT COUNT(*)
FROM your_user_table
WHERE username='$_POST[username]' AND password=MD5($_POST[password])";
//execute query here

//temporary
$valid = ($_POST['username'] == 'test' && $_POST['password'] == 'test');

//if user is valid
if($valid) {
//set cookie here

setcookie('login',md5(time()),time() + 60);
$_SESSION['loggedin'] = "loggedin";
}
}
else {
?>
<form name="form1" method="post" action="">
<table width="200" border=0 align="center" cellpadding=0 cellspacing=0>
<tr bgcolor="#000000">
<td height="40" colspan="2"><div align="center"><strong><font color="#FFCC66" size="2">.:
Login :.</font></strong></div></td>
</tr>
<tr bgcolor="#FFCC66">
<td width="92" height="30"><div align="right"><font size="3"><strong>Username:</strong></font></div></td>
<td width="83" height="30"><div align="center"> <font size="1">
<input type="text" name="username" size=10>
</font></div></td>
<tr bgcolor="#FFCC66">
<td height="30"><div align="right"><font size="3"><strong>Password:</strong></font></div></td>
<td height="30"><div align="center"> <font size="1">
<input type="password" name="password" size=10>

</font></div></td>
</tr>
<tr bgcolor="#FFFFFF">
<td height="30"><div align="center"><font size="1"><img src="images/login.gif" width="60" height="57"></font></div></td>
<td height="30"><div align="center"> <font size="1">
<input type="submit" name="submit" value="Log In">
</font></div></td>
</tr>
</table>
</form>
<? }//end of login
?>









footer.php



</div>
</td>
</tr>
<?
}
?>
</table>










<?php //login.php
session_start();
if(!empty($_POST)) {
//PLEASE DO NOT USE THIS QUERY MAKE UP YOUR OWN AND SANATIZE THE INPUTS
$query = "SELECT COUNT(*)
FROM your_user_table
WHERE username='$_POST[username]' AND password=MD5($_POST[password])";
//execute query here

//temporary
$valid = ($_POST['username'] == 'test' && $_POST['password'] == 'test');

//if user is valid
if($valid) {
//set cookie here

setcookie('login',md5(time()),time() + 60);
$_SESSION['loggedin'] = "loggedin";
header("Location: $_SESSION[ref]");
}
else {
header("Location: $_SERVER[PHP_SELF]");
}
}
else {
?>
<?
$pagetitle = "template";
include("header.php");
?>
<table width="527" height="417" border="0">
<tr>
<td width="511" height="358" valign="top">
<form name="form1" method="post" action="">
<table width="200" border=0 align="center" cellpadding=0 cellspacing=0>
<tr bgcolor="#000000">
<td height="40" colspan="2"><div align="center"><strong><font color="#FFCC66" size="2">.:
Login :.</font></strong></div></td>
</tr>
<tr bgcolor="#FFCC66">
<td width="92" height="30"><div align="right"><font size="3"><strong>Username:</strong></font></div></td>
<td width="83" height="30"><div align="center"> <font size="1">
<input type="text" name="username" size=10>
</font></div></td>
<tr bgcolor="#FFCC66">
<td height="30"><div align="right"><font size="3"><strong>Password:</strong></font></div></td>
<td height="30"><div align="center"> <font size="1">
<input type="password" name="password" size=10>

</font></div></td>
</tr>
<tr bgcolor="#FFFFFF">
<td height="30"><div align="center"><font size="1"><img src="../testlogin/images/login.gif" width="60" height="57"></font></div></td>
<td height="30"><div align="center"> <font size="1">
<input type="submit" name="submit" value="Log In">
</font></div></td>
</tr>
</table>
</form>
</td>
</tr>
</table>
<?
include("footer.php");
?>
<?php }//end
?>









<?php //auth.php
session_start();
header("Cache-control: private");

if(empty($_COOKIE['login'])) {
header("Location: $ref");
}
elseif(isset($_COOKIE['login'])) {
//execute your time checking query here if valid set $valid to true
$valid = isset($_COOKIE['login']);
if($valid) {
$ref = $_SESSION['ref'];
unset($_SESSION['ref']);
header("Location: $ref");
}
else {
setcookie('login','',time() - 3600); //expire cookie
$_SESSION['loggedin'] = "loggedout";
header("Location: $ref");
}
}
else {
//do nothing, just go to page execution
}
?>
DapperDanMan Newbie

DapperDanMan

Posted
Posted
[!--quoteo(post=376252:date=May 23 2006, 02:44 AM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 23 2006, 02:44 AM) [snapback]376252[/snapback][/div][div class=\'quotemain\'][!--quotec--]
<form name="form1" method="post" action="">
[/quote]
I am a new guy to php, but I believe this is at least one line that is a code breaker. You keep mentioning that it goes back to "auth.php" which is the file you keep posting. The above is a line from that page, and I think you need an action for the page to do, otherwise you will not go anywhere. Try placing the page name that you want the page to go to in the action area and see if that fixes anything.

For double checking a login, I simply use on everypage:
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]
session_start();
if (!$_SESSION[login]) {
header("Location: index.html");
}
else if ($_SESSION[login] == ....) {
....
}
[/quote]

It just checks for the session tag, if it is not there, it redirects back to the page in the header, otherwise it does anything I want it to do. I have it setup to have two levels of access, and it works fine. Maybe not the most secure, I am sure someone could enlighten me on that. ::grin::

I hope that helps you to some degree.

-DapperDanMan
.josh Advanced Member

.josh

Posted
Posted
okay so i'm looking through your code and you have not even used half of what i suggested. you seem to have picked and chosen what you did and did not want to use, and you can't do that. i'm not even going to point out what's wrong in that long list of files you just posted, because i would just be repeating myself. my last piece of advice to you is to ditch all of that, as there are many, many bugs in it, from logic to typos, and start all over again.

i'm not trying to be a jerk, but there's no point in me helping if you aren't going to listen.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.