Jump to content

Recommended Posts

So a login script is suppose to redirect you to the members area but what security should the members area have?

 

Login.php -> members.php

 

Whats stopping someone from just typing www.site.com/members.php

/

What can i do so you have to login in via login.php to be able to see members.php?

Link to comment
https://forums.phpfreaks.com/topic/159765-login-redirect-security/
Share on other sites

when login.php 'okay's the credentials, you should set a session 'logged_in' or a cookie, and then in all the members' areas, check

 

if ($_SESSION['logged_in']) {

}

Cookies are generally easy to forge. What i am setting up wont be that complex, so i am not so sure on the security of using cookies but can you give me a link or something to point me in the right direction in making something relatively secure?

 

a quick example written here and now, Dont no if there bugs but a good quick,

understanding i hope shown.

register.php

<?php session_start();

//database connection.

// create a database for members.

//table members. id,username password


// page name regester.php

// create a form to get the users information so they can login.

// basic example will need to add loads off secuity code.


if(isset($_POST['submit'])){

	if(isset(mysql_real_escape_string($_POST['username'])) && isset(md5(mysql_real_escape_string($_POST['password'])))){


		$sql1="INSERT INTO members(username,password)VALUES('$username','$password')";

		$res1=mysql_quey($sql1)or die("Insert username password error".mysql_error());

		// go to login page.

		if($res1){

			header("location: login.php");

			exit;

		}else{

			echo"Sorry we got a database problam!";	

			exit;
		}

	}
}

echo"<center>
      <form method='POST'>
      Please enter a username
      <br>      
      <input type='text' name='username'>
      <br><br>
      Please enter a password
      <br>
      <input type='password'>      
      <br><br>
      <input type='submit' name='submit' value=' regester me!'>
      </center>";

?>

 

login.php

<?php session_start();

//database connection.

// page name login.php


if(isset($_POST['submit'])){

	if(isset(mysql_real_escape_string($_POST['username'])) && isset(md5(mysql_real_escape_string($_POST['password'])))){

		$sql1="SELECT * FROM members WHERE username='$username' AND password='$password'";

         $res1=mysql_quey($sql1)or die("Select username password error".mysql_error());

		if(mysql_num_rows($res1)){

		while($data=mysql_fetch_assoc($res1)){	

			$_SESSION['username']=$data['username'];
			$_SESSION['id']=$data['id'];

		//	if the user exist from the database, goto members.php.

		header("location: members.php");

		exit;
		}

		}else{

				header("location: register.php");

		exit;
		}
	}

	}



echo"<center>
      <form method='POST'>
      Please enter a username
      <br>      
      <input type='text' name='username'>
      <br><br>
      Please enter a password
      <br>
      <input type='password'>      
      <br><br>
      <input type='submit' name='submit' value=' login!'>
      </center>";

?>

 

members.php

<?php session_start();

//page name member.php

if(!$_SESSION['username'] || !($_SESSION['id'])){

header("location: regester.php");
}


echo"hello  {$_SESSION['username']} your id is {$_SESSION['id']}";

?>

If it's only for one person then just tell that person to not type in that page directly.  That or use password protected directories through your .htaccess file with your host.  If your site has a control panel there is most likely something in there for setting up password protected directories and you won't have to do any other coding.

 

My other option would be to sign a few random numbers and store them in the session ONLY when the person has logged in.  After that you could check those values in your code to make sure they matched exactly.  Yes session variables are not 100% secure but using this method would require a hacker to know all of the values exactly.  Do something like this..

 

login.php

<?php

//do all of this after you have confirmed the user has the correct username and password..
          $_SESSION['key1']="83262";
          $_SESSION['key2']="r4ycghg892r3";
          $_SESSION['key3']="pkhfgsad";
?>

 

members.php

<?php
session_start();

if($_SESSION['key1'] != "83262" || $_SESSION['key2'] != "r4ycghg892r3" || $_SESSION['key3'] != "pkhfgsad")
{
   header("location: register.php");
}

//you are now logged in!!!

?>

 

The only way for someone to get past that would be if they happened to know those exact three values.  You could make it more secure by making them longer and/or by adding more keys.  Let us know what you do.

when login.php 'okay's the credentials, you should set a session 'logged_in' or a cookie, and then in all the members' areas, check

 

if ($_SESSION['logged_in']) {

}

Cookies are generally easy to forge. What i am setting up wont be that complex, so i am not so sure on the security of using cookies but can you give me a link or something to point me in the right direction in making something relatively secure?

 

 

Cookies might be easy to forge, but you can use session cookies and regenerate them on every page request. If youre really paranoid, use SSL, or maybe Apache's .htpasswd would suit your needs?

If it's only for one person then just tell that person to not type in that page directly.  That or use password protected directories through your .htaccess file with your host.  If your site has a control panel there is most likely something in there for setting up password protected directories and you won't have to do any other coding.

 

My other option would be to sign a few random numbers and store them in the session ONLY when the person has logged in.  After that you could check those values in your code to make sure they matched exactly.  Yes session variables are not 100% secure but using this method would require a hacker to know all of the values exactly.  Do something like this..

 

login.php

<?php

//do all of this after you have confirmed the user has the correct username and password..
          $_SESSION['key1']="83262";
          $_SESSION['key2']="r4ycghg892r3";
          $_SESSION['key3']="pkhfgsad";
?>

 

members.php

<?php
session_start();

if($_SESSION['key1'] != "83262" || $_SESSION['key2'] != "r4ycghg892r3" || $_SESSION['key3'] != "pkhfgsad")
{
   header("location: register.php");
}

//you are now logged in!!!

?>

 

The only way for someone to get past that would be if they happened to know those exact three values.  You could make it more secure by making them longer and/or by adding more keys.  Let us know what you do.

 

Good idea.

 

<?php
if($_POST['Submit'] == 'Login') {
if($_POST['myusername'] == "joe" && $_POST['mypassword'] == "bloggs") {
    $_SESSION['key1']="83262";
    $_SESSION['key2']="r4ycghg892r3";
    $_SESSION['key3']="pkhfgsad";
    header("Location:members.php");
    exit();
}
else {
     print "Incorrect login";
}
}
?>

But how come when i check my cookie manager no new cookies are created? Shouldn't the new code create a cookie with the 3 random values?

Cookies and Sessions are not exactly the same thing.  Cookies are stored on your computer and you can see them.  Session variables are stored on the server and are a little harder to modify by the user (but it's still possible).  All session variables are erased each time the user leaves the server (or based upon a pre determined set amount of time).  Each time your user goes back to the site they will have to log in again.  With cookies you could do stuff like "Keep me logged in for 1 week" or whatever it is that you like.

Cookies and Sessions are not exactly the same thing.  Cookies are stored on your computer and you can see them.  Session variables are stored on the server and are a little harder to modify by the user (but it's still possible).  All session variables are erased each time the user leaves the server (or based upon a pre determined set amount of time).  Each time your user goes back to the site they will have to log in again.  With cookies you could do stuff like "Keep me logged in for 1 week" or whatever it is that you like.

That seems much more secure thanks for explaining.

 

But i am still having a problems with it.

 

I put this;

$_SESSION['key1']="83262";

    $_SESSION['key2']="r4ycghg892r3";

    $_SESSION['key3']="pkhfgsad";

 

under if login is correct then

 

then once it redirects to the member.php

<?php
session_start();

if($_SESSION['key1'] != "83262" || $_SESSION['key2'] != "r4ycghg892r3" || $_SESSION['key3'] != "pkhfgsad")
{
   header("location: log.php");
}

?>

--html code

 

But it comes up with this error:

Forbidden

You don't have permission to access /chris/Files/member.php on this server.

That to me looks more like a permissions/ownership issue with the file itself versus a php error.

 

Didn't your file name have an "s" at the end of it??

member.php versus members.php

 

Look into that and go on from there.

<?php
session_start();

if($_SESSION['key1'] != "83262" || $_SESSION['key2'] != "r4ycghg892r3" || $_SESSION['key3'] != "pkhfgsad")
{
   header("location: .php");
}

?>

Is the redirecting meant for people who don't have the correct session? Because i keep getting redirected to the .php file i inputted in header()

I'm guessing that the correct values are not stored in the session.  You need the session start on top of ALL pages that use sessions...

 

Your login page...

<?php
session_start();

if($_POST['Submit'] == 'Login') {
if($_POST['myusername'] == "joe" && $_POST['mypassword'] == "bloggs") {
    $_SESSION['key1']="83262";
    $_SESSION['key2']="r4ycghg892r3";
    $_SESSION['key3']="pkhfgsad";
    header("Location:members.php");
    exit();
}
else {
     print "Incorrect login";
}
}
?>

 

Then just for testing reasons do the following on the members.php page...

<?php
session_start();

echo "<b>Session Variable List:</b><br />\n";
echo "Key 1: ".$_SESSION['key1']."<br />\n";
echo "Key 2: ".$_SESSION['key2']."<br />\n";
echo "Key 3: ".$_SESSION['key3']."<br />\n";

if($_SESSION['key1'] != "83262" || $_SESSION['key2'] != "r4ycghg892r3" || $_SESSION['key3'] != "pkhfgsad")
{
   echo "You have the incorrect login info.";
}

else
{
  echo "You are now logged in.";
}

?>

 

The IF statement basically says..

IF any of the sessions variables do not match THEN redirect them back to another page.  Otherwise (else) show them the stuff you want to show them.

 

Whenever you are unsure about something echo it to the screen to see the value of the variables.  Just do that for testing and then remove all of the echo stuff prior to going live with your site.

I'm guessing that the correct values are not stored in the session.  You need the session start on top of ALL pages that use sessions...

 

Your login page...

<?php
session_start();

if($_POST['Submit'] == 'Login') {
if($_POST['myusername'] == "joe" && $_POST['mypassword'] == "bloggs") {
    $_SESSION['key1']="83262";
    $_SESSION['key2']="r4ycghg892r3";
    $_SESSION['key3']="pkhfgsad";
    header("Location:members.php");
    exit();
}
else {
     print "Incorrect login";
}
}
?>

 

Then just for testing reasons do the following on the members.php page...

<?php
session_start();

echo "<b>Session Variable List:</b><br />\n";
echo "Key 1: ".$_SESSION['key1']."<br />\n";
echo "Key 2: ".$_SESSION['key2']."<br />\n";
echo "Key 3: ".$_SESSION['key3']."<br />\n";

if($_SESSION['key1'] != "83262" || $_SESSION['key2'] != "r4ycghg892r3" || $_SESSION['key3'] != "pkhfgsad")
{
   echo "You have the incorrect login info.";
}

else
{
  echo "You are now logged in.";
}

?>

 

The IF statement basically says..

IF any of the sessions variables do not match THEN redirect them back to another page.  Otherwise (else) show them the stuff you want to show them.

 

Whenever you are unsure about something echo it to the screen to see the value of the variables.  Just do that for testing and then remove all of the echo stuff prior to going live with your site.

 

Copied exact code, and i get this on the page; (all the key variables are blank)

Session Variable List:
Key 1:
Key 2:
Key 3:
You have the incorrect login info. 

 

Is it my php host? I am using a free php host right now but i have a subscription to godaddy, do you suggest i try it on godaddy?

Did you add the session_start() to the top of your login page?  Not very likely that it is the hosting company

Yep.

 

login.php

<?php
session_start();

if($_POST['Submit'] == 'Login') {
if($_POST['myusername'] == "joe" && $_POST['mypassword'] == "bloggs") {
    $_SESSION['key1']="83262";
    $_SESSION['key2']="r4ycghg892r3";
    $_SESSION['key3']="pkhfgsad";
    header("Location:members.php");
    exit();
}
else {
     print "Incorrect login";
}
}
?>

--login form code

 

members.php

<?php
session_start();

echo "<b>Session Variable List:</b><br />\n";
echo "Key 1: ".$_SESSION['key1']."<br />\n";
echo "Key 2: ".$_SESSION['key2']."<br />\n";
echo "Key 3: ".$_SESSION['key3']."<br />\n";

if($_SESSION['key1'] != "83262" || $_SESSION['key2'] != "r4ycghg892r3" || $_SESSION['key3'] != "pkhfgsad")
{
   echo "You have the incorrect login info.";
}

else
{
  echo "You are now logged in.";
}

?>

 

After login redirects me to members.php, all the variables to the right of 'key' are blank.

Try it on godaddy.  Maybe your host doesn't allow it though I doubt it.

I changed some of the code and i got to work.

 

Thanks everyone for the help.

 

1 simple last question lol and them i got everything i need.

if($_SESSION['key1'] != "83262" || $_SESSION['key2'] != "r4ycghg892r3" || $_SESSION['key3'] != "pkhfgsad")
{
   //echo "You have the incorrect login info.";
   header("Location:error.html");
}

else
{
  echo "You are now logged in.";
}

?>

How come when i echod

echo "You have the incorrect login info.";

This came up if the session wasn't found but its not redirecting with

header("Location:error.html");

?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.