[SOLVED] help with authentication

[meomike2000]

I need some help getting started with a way to authenticate users as they sign on with there username and password. can somebody please point me in the right direction where i can find more info related to this.

 

i have a php script that allows input of username and password and then checks them against values in another script. not sure that is the correct way.

 

i also am currently using  <directory/my/directory/here></directory> style of authentication in apache config for my secure directory. this works and is secure, but is not very pleasing to the eye.

 

thanks mike.....

 

[phpdragon]

use sessions for authentication,

1 - Create a form to accept user name value and password value

2 - POST this form to your authentication script similar to the following, in this instance i am authenticating using users in a database, from a table called users.

<?php session_start();
include("data_connect.php");

$sql = "SELECT * FROM users WHERE user='" . $_POST['user'] . "' AND pass='" . $_POST['pass'] . "' AND status='active'";
$result = mysql_query($sql);

if ($result_row = mysql_fetch_array($result)) {
$_SESSION['user'] = $result_row["user"];
$_SESSION['type'] = $result_row["type"];
$_SESSION['userID'] = $result_row["userID"];
}

mysql_close($link);

if ( ! in_array ( $_SESSION['type'], array ( 'admin', 'reseller' )) )
{
header ( 'Location: login_error.php' );
exit ();
} else { header ( 'Location: user_control.php' ); }
?>

3. BE SURE to put

<?php if ( ! in_array ( $_SESSION['type'], array ( 'admin', 'reseller' )) )
{
header ( 'Location: login_error.php' );
exit ();
} ?>

at the top of every page you want these 2 authenticated type of users on.

 

This script relocates to login_error.php if user is not an admin or reseller user, and procedes to the first authenticated page if they are.

You can modify the user types to suit yourself as long as they match you DB

[npsari]

phpdragon, shouldnt the header() be at the top of the page before anything else

 

because when i try to connect to the database first and then use header(), i get an error

[phpdragon]

actually i did make an error but the header redirect is in the right spot, what i did forget tho is the session_start() tag which must be before anything else so the top of the page you want authentication on should be:-

 

<?php session_start();
if ( ! in_array ( $_SESSION['type'], array ( 'admin', 'reseller' )) )
{
header ( 'Location: login_error.php' );
exit ();
} ?>

 

That will redirect you if you are not an authenticated user, the header tag needs to be before the html, hence why this is at the top of every page to be authenticated on, before any html output

 

Regarding the connecting to a database possibly because you are outputting html after the connection, if you see i am outputting global session variables which are not part of any html until requested.

 

[phpdragon]

Also seeing I have implemented a login authentication system here I should note you also need a logout system aswell the following code will destroy the session and redirect you back to the main index.php page

 

<?php
session_start();
$_SESSION = array();
session_destroy(); 

header("Location: index.php");
?>

[meomike2000]

well i get this error

 

Warning: Cannot modify header information - headers already sent by (output started at /home/mike/Desktop/web/testdatabase.php:35) in /web/testdatabase.php on line 129

 

 

[meomike2000]

i figured this out, you can use header as long as there is no other output before it. the input form and sql query have to be on separate pages with no out put till you either get to the correct page you are logging into or get to the error login page.

 

thanks a bunch mike......

[phpdragon]

You can have it on the same page as the form, as I can see you have it down at line 129, what you do is you put it at the top of the page and only check it if submit button used, something like this,

 

<?php session_start();
if (isset($_POST['submit'])) {
include("data_connect.php");

$sql = "SELECT * FROM users WHERE user='" . $_POST['user'] . "' AND pass='" . $_POST['pass'] . "' AND status='active'";
$result = mysql_query($sql);

if ($result_row = mysql_fetch_array($result)) {
$_SESSION['user'] = $result_row["user"];
$_SESSION['type'] = $result_row["type"];
$_SESSION['userID'] = $result_row["userID"];
}

mysql_close($link);

if ( ! in_array ( $_SESSION['type'], array ( 'admin', 'reseller' )) )
{
header ( 'Location: login_error.php' );
exit ();
} else { header ( 'Location: user_control.php' ); }
}
?>
// add page and form here

 

and then as the action of the form action='<?php $_SERVER['PHP_SELF']?>'