Jump to content

PHP Login Script which uses username, password and IP address with session ID.

waffle247

By waffle247
in PHP Coding Help

 Share

Recommended Posts

waffle247 Newbie

waffle247

Posted
Posted

Hi,

 

I've been searching google alot for the last week trying to get a script which uses the session ID function so a user can login, get given a session ID and if their IP changes they are redirected to the login page again. I have found many different pages on the subject of this being insecure and more complex ways of securing it, even ways of doing it so that the IP is not a factor... thing is I want to show how the IP change logs the user out and how a static IP means the session remains logged in.

 

My code so far (the working bits of it at least) is this:

 

login.php


<?php
session_start();
if(isset($_POST['login']))
{
$password = $_POST['pswd'];
if ( $password == "mypassword" ) { //Replace mypassword with your password it login
    $_SESSION['phplogin'] = true;
    header('Location: index.php'); //Replace index.php with what page you want to go to after succesful login
    exit;
} else {
?>
<script type="text/javascript">
<!--
alert('Wrong Password, Please Try Again')
//-->
</script>
<?php
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title> PHP Login </title>
</head>
<body>
<center>
Password:<br>
<form method="post" action="">
<input type="password" name="pswd">
<input type="submit" name="login" value="Login">
</form>
</center>
</body>
</html>

 

index.php


<?php session_start(); require 'approve.php'; ?> 
<html>

<a href=/hits.php>click me!</a>

</html>

 

approve.php

<?php
session_start();
if (!isset($_SESSION['phplogin'])
    || $_SESSION['phplogin'] !== true) {
    header('Location: login.php'); //Replace that if login.php is somewhere else
    exit;
}
?>

 

hits.php

<?php session_start(); require 'approve.php'; ?> 
<html>
<a href=/index.php>now click me!</a>
</html>

 

How would I extend this so that a username is included and the IP address is picked up for the session, so that if the IP changes the session would be invalid and logged out?

 

Thanks in advance!

Waffle247 (complete PHP noob I know :) )

Link to comment
Share on other sites
webref.eu Regular Member

webref.eu

Posted
Posted

In many login solutions, an include file is used to control access to a new page, which contains the various session variables.  So, if you somehow record the initial IP address to a session variable and then check the IP address session variable is the same each time a new page is requested by having this check in the include file. 

 

Hope that helps a bit. 

 

Rgds

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

In many login solutions, an include file is used to control access to a new page, which contains the various session variables.  So, if you somehow record the initial IP address to a session variable and then check the IP address session variable is the same each time a new page is requested by having this check in the include file. 

 

Hope that helps a bit. 

 

Rgds

 

Thanks, it's kind of helpful. I'm not sure how to write the include file which records the session variable or how to capture the IP address. I copied the code from a PHP tutorial on the subject and I keep seeing pages where people talk about this subject - I just want to try it out for myself so I can see the change in IP logging the session out.

 

thanks again,

Waffle247 (still a noob, I know :) )

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

hmm, maybe this is beyond me :(

 

all I've come up with in an hour is:

 

<?php 
echo $_SERVER[REMOTE_ADDR];
?>

 

and all that does is print out the IP on the screen... how do I put that into a file and associate it with the session ID that gets generated for the users session? I'm confused and hungry.  :-\

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

I changed the login.php script so it now says:

 

<?php
session_start();
$_SESSION['address']=$_SERVER['REMOTE_ADDR'];
if(isset($_POST['login']))
{
$password = $_POST['pswd'];
if ( $password == "mypassword" ) { //Replace mypassword with your password it login
    $_SESSION['phplogin'] = true;
    header('Location: index.php'); //Replace index.php with what page you want to go to after succesful login
    exit;
} else {
?>
<script type="text/javascript">
<!--
alert('Wrong Password, Please Try Again')
//-->
</script>
<?php
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title> PHP Login </title>
</head>
<body>
<center>
Password:<br>
<form method="post" action="">
<input type="password" name="pswd">
<input type="submit" name="login" value="Login">
</form>
</center>
</body>
</html>

 

It doesn't log the user out if the IP doesn't match the one they logged in as though :(

 

How do I make it do that?

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

seems like I might be talking to myself but maybe someone can answer me this one:

 

I found this code:

 

if ( isset( $_SESSION['REMOTE_ADDR'] ) && $_SESSION['REMOTE_ADDR'] != $_SERVER['REMOTE_ADDR'] )

 

can I use somthing like that in my approve.php file to do the job? any idea what the approve.php file would end up looking like in that case?

 

Thanks,

Waffle247 (officially up a creak with no paddle in site.. boom boom. :) )

Link to comment
Share on other sites
MiCR0 Member

MiCR0

Posted
Posted

Do not take this the wrong way but i think your trying to run before you can walk....

Best to use a Whole session Class system and then work along side that DB Esession is a very good and very easy session system to add into any website.

 

You see your going along the lines of comparing sessions which is best done with a Database with session cookie comparing and so on etc.

 

 

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

Do not take this the wrong way but i think your trying to run before you can walk....

Best to use a Whole session Class system and then work along side that DB Esession is a very good and very easy session system to add into any website.

 

You see your going along the lines of comparing sessions which is best done with a Database with session cookie comparing and so on etc.

 

Thanks, I checked out DB Esession but I've not been able to hook it into my website; the code is really beyond anything I can do with PHP. Thanks for the suggestion though.

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

I found this script and I'm pretty sure it has everything you need.

 

http://evolt.org/files/Login_System_v.2.0.zip

 

Thanks, it's lot's of files... eek!  ??? I'm not really sure what to do with them.. I have mySQL installed and can make the database but what do I do with my IIS settings? Now I'm really confused. Everytime I try some package like this I end up doing lots and not getting anywhere :(

Thanks again for the help.

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

I found this script and I'm pretty sure it has everything you need.

 

http://evolt.org/files/Login_System_v.2.0.zip

 

I think I can work out how to use this... except I don't know what I should call my database. The sql script says mydatabasename but I think it expects me to change that, only I can't find where in the PHP I should change the database name - can anyone help?

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

Could it be that the website can't find the database or something? It just gives me what looks like broken bits of php code :(

 

I don't have a php connector installed but I got the latest version of php downloaded and installed, I was under the impression that the db connector is built in on this version; is that right? Please help.. I feel like I'm going around in circles and never quite getting this to work.

Link to comment
Share on other sites
waffle247 Newbie

waffle247

Posted
  • Author
Posted

Hmm neither of the packages use IP in the DB. Does anyone know of a login system that uses IP addresses with user sessions?

 

Probably talking to myself again but in case anyone has any ideas....

 

the 2nd package has a table in the db that logs the IP address of the user... but it doesn't link it to a session ID. Is there anything out there that does this? What I want to do is on loads of sites as a bad idea, without examples of how to script it, but the whole idea is to show the change in IP logging the user out; I know that if users are behind a proxy that changes IP this will mean annoying user experience - that's the whole idea. I don't want to put the site up for anyone other than myself and I want to show the changes in IP causing the issue. I've searched loads of sites... it doesn't even have to be in PHP, I just want to show a logged in user changing IP and being logged out again. I thought it would be fairly straight forward but this is now my second week of trying to set this up :(

 

Any help would be very much appreciated.

 

Thanks,

Waffle247

Link to comment
Share on other sites
  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.