Jump to content

[SOLVED] secure login/ sessions

bossman

By bossman
in PHP Coding Help

 Share

Recommended Posts

bossman Member

bossman

Posted
Posted

I have successfully completed building my backend admin for my project management tool, It is complete with a login, which takes you to a view all page, and then from there you can add/edit/ or delete projects. But as of now, a user can easily bypass my login page and get right to the admin without logging in. Here's what I have done....

 

set up a database table with uid (user_id), uname(username), and upassword(user password)....

 

manually entered user names and passwords to be used into the rows....

 

Here's my code for the login page itself....

 

<div style="margin-left:100px;">

<table width="200" align="left">

<form action="login_process.php" method="POST">

 

<label><strong>Username:</strong></label><br/><input type="text" name="formname"/><br/>

<label><strong>Password:</strong></label><br/><input type="password" name="formpass"/><br/><br/>

<input type="submit" value="enter"/>

 

</form>

<?

if (isset($_GET['error'])){

print "<div class='error'>Please make sure you typed in the correct name and password</div>";

}

?>

</br>

</table>

</div>

 

and here's what i have for the login_process page...

 

<?

include("inc/db_connect.php");

//store the login form info into var's...

$uname=$_POST['formname'];

$upass=$_POST['formpass'];

//connect to server...

// Opens a connection to a MySQL server

$connection=mysql_connect ($h, $u, $p);

if (!$connection) {

  die('Not connected : ' . mysql_error());

}

 

// Set the active MySQL database

$db_selected = mysql_select_db($d, $connection);

if (!$db_selected) {

  die ('Can\'t use db : ' . mysql_error());

}

//construct a query...

$query="SELECT * FROM user_table WHERE uname='$uname' AND upassword='$upass'";

 

//print $query;

//run the query...

$result=mysql_query($query);

//print($result)?"Query OK":"Query failed.";

//if there was a matching row in the db...

if($row=mysql_fetch_array($result)){

//print "valid user";

//print session_id();

//store some info in sessionvariables so we can look at it page after page...

$_SESSION['username']=$uname;

$_SESSION['userID']=$row['uid'];

//redirect to View All...

header('Location:admin_index.php');

//otherwise the user must be illegal...

}else{

//print "invalid user";

//close connections

header('Location:index.php?error=yes');

}

?>

 

so...ive gotten it set up so that the user must enter the correct username and password to enter, but the site is still not secure. Can anybody give me a push in the right direction as to the most simple and easiest solution to implement into what ive got already. What would be ideal, is to set it up so that if they TRY to bypass my login page, regardless of what page they try to get to, they will be redirected to the login page no matter what, unless they are already logged in. Is there an easy way to do this?

 

 

Link to comment
Share on other sites
mayfair Member

mayfair

Posted
Posted

You need to include something on your login page to check if a valid user is logged in. If they aren't, throw an error and prompt/re-direct them to login.

 

Also, you need to read up on PHP security. Don't construct your SQL query without sanitising and validating your POST data, you'll leave yourself wide open for SQL injection and other potential problems. As a start, have a function at the top of your page - someting like:

 

function clean($variable) {
$variable = mysql_real_escape_string(trim($variable));
return $variable;  }

 

and instead of 

$uname=$_POST['formname'];

have 

$uname=clean($_POST['formname'];

Link to comment
Share on other sites
mayfair Member

mayfair

Posted
Posted

Yes you should be validating the code on the same page that you are constructing your search query.

 

Regarding the function, you do not need to change the name of $variable, it is only used by that function to tell it to expect a variable. You can then type clean($_POST['your_var']); instead of just $_POST['your_var']; and it will sanitise whatever variable is passed to it and return the result with any bad/malicious data neutralised. You should also perform some validation to make sure the data being passed onto your page is what you are expecting.

 

All you are doing at the moment is re-directing people to admin_index.php if their record has been found in the db, you need to add some code to admin_index to make sure they are logged in, and re-direct them back to the login page if not. This will stop people from being able to directly access your 'member-only' pages.

Link to comment
Share on other sites
bossman Member

bossman

Posted
  • Author
Posted

$_SESSION['username']=$uname;

$_SESSION['userID']=$row['uid'];

 

since i have that code right there, will i need to add a session_start(); anywhere? or is that code there already anitiating the session? im not new to php but new to the security aspect of it, but im pretty sure i know wuts going on, just a little confused thats all, not sure exactly what all needs done to implement this simple function, all yur help is appreciated

Link to comment
Share on other sites
bossman Member

bossman

Posted
  • Author
Posted

i think something is off, wont let me login now even with the correct username and password

 

<?

session_start();

 

include("inc/db_connect.php");

 

function clean($variable) {

$variable = mysql_real_escape_string(trim($variable));

return $variable; 

}

 

//store the login form info into var's...

$uname=clean($_POST['formname']);

$upass=clean($_POST['formpass']);

//connect to server...

// Opens a connection to a MySQL server

$connection=mysql_connect ($h, $u, $p);

if (!$connection) {

  die('Not connected : ' . mysql_error());

}

 

// Set the active MySQL database

$db_selected = mysql_select_db($d, $connection);

if (!$db_selected) {

  die ('Can\'t use db : ' . mysql_error());

}

//construct a query...

$query="SELECT * FROM user_table WHERE uname='$uname' AND upassword='$upass' ";

 

//print $query;

//run the query...

$result=mysql_query($query);

//print($result)?"Query OK":"Query failed.";

//if there was a matching row in the db...

if($row=mysql_fetch_array($result)){

//print "valid user";

//print session_id();

//store some info in sessionvariables so we can look at it page after page...

$_SESSION['username']=$uname;

$_SESSION['userID']=$row['uid'];

//redirect to View All...

header('Location:admin_index.php');

//otherwise the user must be illegal...

}else{

//print "invalid user";

//close connections

header('Location:index.php?error=yes');

}

?>

Link to comment
Share on other sites
bossman Member

bossman

Posted
  • Author
Posted

i echoed $uname and $upass on the process page and it didnt echo anything. I just tried getting rid of all the edits you recommended, and its working again now...so im gonna try adding in each part one by one and try to determine what is causing it to not work....

Link to comment
Share on other sites
mayfair Member

mayfair

Posted
Posted

I suspect your problem is related to your DB connection. mysql_real_escape_string required a valid connection because it is part of the mysql group of functions. Why don't you move your entire DB connect statement (including the mysql_db_select bit) into db_connect.php and make sure it is above the mysql_real_escape_string function.

Link to comment
Share on other sites
bossman Member

bossman

Posted
  • Author
Posted

ok i will try that. Before i read your last two posts, i had determined that the error was here...

 

$uname=clean($_POST['formname']);

$upass=clean($_POST['formpass']);

 

after i added the 'clean' in there, it stopped working, the function clean($variable) {..... didnt screw anything up, and neither did the session_start();

Link to comment
Share on other sites
bossman Member

bossman

Posted
  • Author
Posted

ok, your suggestion worked, although i didnt move the code to a new page, i just put it in a different spot, like here...

 

<?

session_start();

 

include("inc/db_connect.php");

 

//connect to server...

// Opens a connection to a MySQL server

$connection=mysql_connect ($h, $u, $p);

if (!$connection) {

  die('Not connected : ' . mysql_error());

}

 

// Set the active MySQL database

$db_selected = mysql_select_db($d, $connection);

if (!$db_selected) {

  die ('Can\'t use db : ' . mysql_error());

}

 

 

 

function clean($variable) {

$variable = mysql_real_escape_string(trim($variable));

return $variable;  }

 

//store the login form info into var's...

$uname=clean($_POST['formname']);

$upass=clean($_POST['formpass']);

 

//construct a query...

$query="SELECT * FROM user_table WHERE uname='$uname' AND upassword='$upass'";

 

//print $query;

//run the query...

$result=mysql_query($query);

//print($result)?"Query OK":"Query failed.";

//if there was a matching row in the db...

if($row=mysql_fetch_array($result)){

//print "valid user";

//print session_id();

//store some info in sessionvariables so we can look at it page after page...

$_SESSION['username']=$uname;

$_SESSION['userID']=$row['uid'];

//redirect to View All...

header('Location:admin_index.php');

//otherwise the user must be illegal...

}else{

//print "invalid user";

//close connections

header('Location:index.php?error=yes');

}

?>

 

so now its logging in no errors....where do i go from here?

 

Link to comment
Share on other sites
mayfair Member

mayfair

Posted
Posted

Well there are a few ways you can go. You could handle your entire login using sessions or you could construct and use a cookie to store login information. Im guessing you'll want to stick with sessions, so you now need to check that a user is logged in before they can acces a members-only page. You still really need to read up on the security and validation side of things, but basically you'll want something at the top of your admin page similar to

 

session_start();
if (!isset($_SESSION['userID'])) {
*redirect user to login screen or prompt to login*
}

 

That will at least check to see if a UID is set, but it is by no means a complete working solution. Hopefully you get the idea anyway

 

Link to comment
Share on other sites
mayfair Member

mayfair

Posted
Posted

Yes, otherwise somebody would be able to enter the direct URL of whatever page they want to see and will be able to access it without having to login. Its a very basic start, but checking for the existance of a UID before allowing access to the page would work. Your login script now has 3 distinct parts:

 

1. Take the username & password entered and check the database for that particular member

2. If the memeber exists, assign a session variable called userID and re-direct them to admin_index.php

3. On admin_index.php, check that userID is set and re-direc if not

Link to comment
Share on other sites
mayfair Member

mayfair

Posted
Posted
ok, did exactly as you suggested, and its working. Although only a small framework that i plan to make more secure this is the start that i needed, i appreciate your time on that one.

 

You're welcome, glad you've got something to start on. Click 'Resolved' in the bottom left corner of the thread to mark it as solved  ;)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.