Multi-user login system

[lingo5]

Hi, I have done a simple user login system that allows for an admin to access a private control panel.

What I need to do now is to make it multi-user, so that every registered user will be able to logon and access only his data.

How can I do this?. At the moment all users access all info and this in not good.

Thanks

[shedokan]

First you'll need to save users somewhere, like a database.

Then at the place where you check if the password and username matches the admins database and password you just search for a match in the database where username equals the username entered and the password equals the one entered, if one of them doesn't match then login fails.

Like: "SELECT id FROM users WHERE username = '$username' AND password = '$password'"

if a match was not found then user can't login.

 

PS: it's better you'll use md5 hashed passwords to protext your users privacy.

[lingo5]

Thanks shedokan, but I already have that. What I need is to redirect each user to his page when logged in.

[shedokan]

oh... what do you mean by "his data"? the data that he inserted or data he can view with his role? like admin can view all data moderators can only view some data and only delete some data normal users can delete only their own data etc.

[ignace]

PS: it's better you'll use md5 hashed passwords to protext your users privacy.

 

You ever heard of a rainbow table? You should not only hash it but also salt it, like:

 

md5( concat( password_salt, md5( '$password' ) ) )

[lingo5]

Hi shedokan, at the moment the admin can access everybodie's records and add, delete and edit them. I would like each user to access a page that contains only the record that belongs to him.

[lingo5]

This is the code I use at the moment:

 

// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['user'])) {
  $loginUsername=$_POST['user'];
  $password=$_POST['password'];
  $MM_redirectLoginSuccess = "PC_main.php";
  $MM_redirectLoginFailed = "index.php?failed=true";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_amat_connect, $amat_connect);
  	
  $LoginRS__query=sprintf("SELECT usuariologin, usuariopassword FROM t_usuarios WHERE usuariologin=%s AND usuariopassword=%s",
  GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $amat_connect) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    
    $loginStrGroup  = mysql_result($LoginRS,0);
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}

[shedokan]

Hi shedokan, at the moment the admin can access everybodie's records and add, delete and edit them. I would like each user to access a page that contains only the record that belongs to him.

 

You can store a unique ID for each user and when they enter a page you check whose user id the page is. if it's an admin allow him to access all pages if it's a normal user check if his user id matches the one of the page.

 

like if you have profile.php?uid=18 then you check if the current logged in user has an id of 18.

[lingo5]

Thanks again shedokan, but I don't know how to do that. Could you give me a code example based on mine?. How would I show a user its record only?

[shedokan]

it depends on your records, for example if you save a record as a row in the database then you can add a column with the user's id, like you have an adrress table:

| firstname |  lastname  |

| - - - - - - - | - - - - - - - - |

|      Joe      | Something |

|      Jay      |    Family    |

 

Then you can add a column says the id of the user like:

| uid | firstname |  lastname  |

| - - -| - - - - - - - | - - - - - - - - |

|  1  |      Joe      | Something |

|  2  |      Jay      |    Family    |

 

And then you know that Joe Something belongs to the user with the ID of 1

 

and in your user's table you have:

|  id  | username | password |

| - - -| - - - - - - -  | - - - - - - - -|

|  1  |    user1    |  *******  |

|  2  |    user2    |  *******  |

 

So when a user get's logged in you save the user's id in the session or cookie, and when a user trieds to access an address you check the uid of the address, like if user1 tries to access "Joe Family" you don't allow him because the uid on Joe Family is 2 and user1 has an id or 1.

 

Did that help you?

[lingo5]

Yes shedokan, that helps a lot. The next problem is how do I save the user id in a session?

[shedokan]

Yes shedokan, that helps a lot. The next problem is how do I save the user id in a session?

 

That depends on your login system, after the user logs in how do you keep him logged in? I mean once that the user logs in and you send him to another page how do you know he's already logged in and you don't have to send him to the login page?

[lingo5]

Hi shedokan, this is the code I use to login the users:

 

<?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && true) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "index.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>

[lingo5]

I need help with this please. This is the script I use to log users in. I need to redirect them to their personal URL on success, but when I try that the script fails and I get a blank screen.

Please see the line of code that gives an error when I modify it.

// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['user'])) {
  $loginUsername=$_POST['user'];
  $password=$_POST['password'];
  $MM_redirectLoginSuccess = "PC_main.php"; // I tred to add this [color=red]?id_E=<?php echo $row_Login['id_E']; ?>[/color] and the script fails
  $MM_redirectLoginFailed = "index.php?failed=true";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_amat_connect, $amat_connect);
  	
  $LoginRS__query=sprintf("SELECT usuariologin, usuariopassword, id_E FROM t_usuarios WHERE usuariologin=%s AND usuariopassword=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $amat_connect) or die(mysql_error());

[shedokan]

To add something to a php string you don't use echo you do:

$MM_redirectLoginSuccess = "PC_main.php?id_E=".$row_Login['id_E'];

 

the dot adds two strings together.

[lingo5]

Thanks Shedokan. I have added

  $MM_redirectLoginSuccess = "PC_asociados_update.php?id_E=".$LoginRS['id_E'];

ow and the scrip works but the variable id_E is nos passes to the next page.

 

My idea is to pass the id_E variable to the user update page, so that when a user logs in it goes straight to the update page that belongs to it.

 

Do I make sense?

 

 

[shedokan]

The problem is that you don't save the user's id or anything in the session, so people that are not logged in can view all pages.

So that user can change the page from PC_asociados_update.php?id_E=1 to PC_asociados_update.php?id_E=2 manually and you will allow him.

 

You need to save the user's id, username and password in the session and at the load of each page check it in the database.

[lingo5]

OK I see. I don't know how to do that. Could you please help?. I'm really stuck with this. Thanks for your help

[shedokan]

This has turned to be more than application design thread, ask for help in the help forum.

you can also try some different tutorials on user login systems in php.

 

I'm sorry I can't help you here.

[Tohou]

Read most of the replies here, as it seems people are really using weird methods when it comes to multi-user login/user stuff, instead of adding on to this weird stuff, You should write your own class.

 

It's pretty simple

 

DB: username, password, time, session, logged, ip

 

on login set unique session id and ip set session code to cookie and DB, set ip to DB

on page view, check cookies, match session and users ip with DB entry

set particular $_SESSION ie: $_SESSION['user_logged'] to true and $_SESSION['username'] to Cookie value

if $_SESSION['user_logged'] allow access

Use $_SESSION['username'] to determine users actual username.

 

Pretty simple.

 

If sessions aren't cool set them with class functions ie:

 

class system {

function loaditbish($user,$logged) {
$this->logged = $logged;
$this->user = $user;
}

}

$sys = new system;
$sys->loaditbish($user,$logged);
if ($sys->logged == true) echo 'Happy crazy fun time';

 

[shedokan]

Read most of the replies here, as it seems people are really using weird methods when it comes to multi-user login/user stuff, instead of adding on to this weird stuff, You should write your own class.

 

It's pretty simple

 

DB: username, password, time, session, logged, ip

 

on login set unique session id and ip set session code to cookie and DB, set ip to DB

on page view, check cookies, match session and users ip with DB entry

set particular $_SESSION ie: $_SESSION['user_logged'] to true and $_SESSION['username'] to Cookie value

if $_SESSION['user_logged'] allow access

Use $_SESSION['username'] to determine users actual username.

 

Pretty simple.

 

If sessions aren't cool set them with class functions ie:

 

class system {

function loaditbish($user,$logged) {
$this->logged = $logged;
$this->user = $user;
}

}

$sys = new system;
$sys->loaditbish($user,$logged);
if ($sys->logged == true) echo 'Happy crazy fun time';

 

what if someone hacked into someone's account and the real account owner changed the password? the account will be still logged in.

He should check if the username and password are valid for each page.