password protect members area

[aubrey5]

Hello, I just joined today!  I am very new to php, I'm sure you'll be able to tell  

 

I created a 'members area only' thanks to some awesome online tutorials!!  The only part that isn't working is the page protection for the 'members only area'. 

 

I am using $_SESSION and ISSET, but wonder why page shows when the address to the protected page is typed directly in, (no session should exist) if I understand correctly ...

 

Any help will be wonderful, I really can't do this on my own yet.

 

I have tried many different combinations, I may have them all mixed together by now.  Currently, I have this code to the top of the page I am trying to protect ...

 

<?
ob_start();
session_start();
//The users login details should be stored either in the post array or session array so we pull those login credentials

$username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username'];    
$password = isset($_POST['password']) ? $_POST['password'] : $_SESSION['password'];


//if no username session variable exists, redirect user:
if(!isset($username)) {    
header("Location: login_form.php");
}
?>   

<html>
<head>
</head>
<body>
<p> This is the members only area</p>
</body>
</html>

 

 

 

 

[ttocskcaj]

I would try

<?php
session_start();
if(!isset($_POST['username']) or !isset($_SESSION['username']) {   
    header("Location: login_form.php");
}
else {
?>   

<html>
    <body>
        <p> This is the members only area</p>
    </body>
</html>
<?php
//ending else
}
?>

Keep in mind that you need to tell PHP to "session_start()"

and that when your testing, sessions can last a few minutes, even after you close the window. You need a logout script to get rid of them.

[aubrey5]

I will try this and post back.  I do have a logout script, but have to admit I haven't been using it while testing page protection, just closing browser.  Thanks for the reply.

[aubrey5]

I tried that code, it still loaded the 'protected page' without a login.  I then ran the logout code and tried again.  It still loaded the 'protected page' without login prompt.

 

What does that mean?  My logout code has an error? 

[BlueSkyIS]

hard to say without seeing your logout code.

[aubrey5]

This is my logout.php

 

<?
session_start();
?>

<html>
<body>

<tr><td colspan="3"><p>Logout</p></td></tr><tr><table>

<?

if(!isset($_REQUEST['logmeout'])){
echo "<center>Are you sure you want to logout?</center><br />";
echo "<center><a href=logout_yes.php>Yes</a> | <a href=javascript:history.back()>No</a>";
} else {
session_destroy();
if(!session_is_registered('first_name')){
	echo "<center><font color=red><strong>You are now logged out!</strong></font></center><br />";
	echo "<center><strong>Login:</strong></center><br />";
	include 'login_form.php';
}
}
?>


</body>
</html>

////////// And this is my logout_yes.php

<html>
<body>

<p class="redtitle" align="center">You are logged out.</p>

</body>
</html>

[Maq]

aubrey5, please use

tags next time.

[aubrey5]

No problem, what are code tags and how do I use them?

[Maq]

No problem, what are code tags and how do I use them?

 

Either use the '#' icon in the reply, or put

//code here...

around your code.

[AtomicRax]

When the user accesses logout.php directly and they click on the "Yes" to logout, they go straight to logout_yes.php never get their session destroyed.

 

Since you're using two files, try something like this:

 

logout.php

<?
session_start();
?>

<html>
<body>

<tr><td colspan="3"><p>Logout</p></td></tr><tr><table>
<center>Are you sure you want to logout?</center><br />
<center><a href=logout_yes.php>Yes</a> | <a href=javascript:history.back()>No</a>
</body>
</html>

 

logout_yes.php

<html>
<body>
<?
session_destroy();
if(!session_is_registered('first_name')){
echo "<center><font color=red><strong>You are now logged out!</strong></font></center><br />";
echo "<center><strong>Login:</strong></center><br />";
include 'login_form.php';
}
?>
</body>
</html>

[aubrey5]

I changed my logout to your suggestion.  My protected page still shows without login prompt.  Any suggestions?

 

I was thinking my session variables weren't set right to pass correctly to my protected page session, but even when typing in the address of the page directly, I get in without login prompt. 

 

Here is my checkuser.php code (it is the action for my submit button on my login_form.php).  My checkuser.php code works great for everything else.

 

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

//register session variables		
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;


if((!$username) || (!$password)){
$enter_all = "Please enter ALL of the information.";
echo "Please enter ALL of the information! <br />";
include 'login_form.php';
exit();
}

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM mytable WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
	$$key = stripslashes( $val );
}
	// Register some session variables!
	session_register('first_name');
	$_SESSION['first_name'] = $first_name;
	session_register('last_name');
	$_SESSION['last_name'] = $last_name;
	session_register('email_address');
	$_SESSION['email_address'] = $email_address;
	session_register('special_user');
	$_SESSION['user_level'] = $user_level;


	mysql_query("UPDATE mytalbe SET last_login=now() WHERE userid='$userid'");

	//redirect to file login_success.php
	header("Location: login_success.php");
}
} else {
$not_loggedin = "You could not be logged in!  Either the username and password do not match or you have not validated your account!";
echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br />
Please try again!<br />";
include 'login_form.php';
}
?>

[AtomicRax]

While not too helpful, it's not recommended that you use or store passwords unencrypted.. This might be considered a "preference" but it's definitely a more secure way of handling them.

[aubrey5]

Hello, I was getting ready to encrypt my passwords like this, when I realized I don't know how to unencrypt them to send to the user when they click on the 'lost password' link.

 

// Encrypt the password
$encrypt_password = md5($password);

 

Is their a simple way to decrypt this password ... I can't say I've found one googling it

[BlueSkyIS]

you can't decrypt md5, as it is not encryption. do not send the user password. reset their password for them and send them the new password.

 

long story short: There should be no way for anyone (even you) to tell what a user's password is.

[aubrey5]

Okay, I'll work on a page that sends them a new password.  Is md5 sufficient for encryption ( I know you said it wasn't 'encrypted')? 

 

My original question still remains unanswered:  Why does my protected page load when typed directly into address bar?  Below is the code I am trying as suggested above.

 

<?php

session_start();
if(!isset($_POST['username']) or !isset($_SESSION['username']) {       
header("Location: login_form.php");
}
else { 
?>

<html>
<body>
<p> This is the Members only Area</p>
</body>
</html>

 

 

Have I reversed the code?  Should it be:

 

<?php

session_start();
if(!isset($_POST['username']) or !isset($_SESSION['username']) {       
?>

<html>
<body>
<p> This is the Members only Area</p>
</body>
</html>	

<?php
}
else { header("Location: login_form.php");
}
?>

[aubrey5]

I know this post has been out a while, so I am bumping it up (I hope that is okay).  I still haven't got this protected page to work.  I was wondering, I don't think my session variable are registering correctly.  I tried to make a page that had "Welcome (your name goes here)" when they logged in and it is blank.  I used this, is this the right way to do it?

 

<p> Welcome, <?=$first_name?>! </p>

 

Thanks, Aubrey

[ttocskcaj]

I don't know anything about the shorthand php.. but are you defining $first_name ?

[PFMaBiSmAd]

it is blank

 

What is blank, the whole page? The (your name goes here) part? What exactly do you see in front of you and what is the current code that produces the page?

[aubrey5]

I can't remeber the correct tag to put around the code, so I apologize now. 

 

The page display correctly, only the (your names goes here) is missing.

 

Sequence of pages:

1.  User registers for account (register.php)

2.  I activate account

3.  User logs in (login_form.php, the form action is checkuser.php)

4.  Checkuser.php defines $first_name I think and redirects to login_success.php

5.  Login_success.php has the Welcome (your names goes here), and the page protect which isn't working either.

 

 

This is the login_success.php page.  It has page protection that isn't working, the php code at the top of the page.  I have to pull this part of the code off to check the Welcome (your name goes here).

 

<?php 
require_once ('verify.php'); 
$page_title = 'YOUR PAGE TITLE GOES HERE';

// Start output buffering:
ob_start();

// Initialize a session:
session_start();

// Check for a $page_title value:
if (!isset($page_title)) {
$page_title = 'User Registration';
}

// If no first_name session variable exists, redirect the user:
if (!isset($_SESSION['first_name'])) {

$url = BASE_URL . ''; // Define the URL.
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

}
?>

<!-- saved from url=(0022)http://internet.e-mail -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">

<head>

<TITLE>Wholesale Accounts</TITLE>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<META name=“description”, content= “”>

<META name=“keywords”, content=“”>

<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">

<link href="../styleswholesale.css" rel="STYLESHEET" type="text/css">

<style type="text/css">html>body #content{height:750px;}</style> 

</head>

<body>
<div id="blanket">
<div id="wrapper">
<div id="header"></div>
<div id="content">
<table align="left">
<?include("../includes/topbarw.php");?>
<tr>
<td>
<?include("../includes/menuw.php");?> 
</td>
<td>

<table>
<tr><td>
<div id="centercolumn">
<a name="top"></a>
<p class="redtitle" align="center">Wholesale Login Success</p>
</div>
</td>
<td>
<div id="rightcolumn">
<?include("../includes/HomeCartBoxw.php");?> 
</td></tr>

<a name="top"></a>

<tr><td colspan="2"><p align="center">Welcome, <?=$first_name?>! Wholesale account info goes here.</p></td></tr>




</table></tr>


</td>
</tr>
</table>
<tr><td colspan="3"><a href="#top">Back to top</a></td></tr></table></tr>


</td>
</tr>
</table>
</div>
<?include("../includes/Footerw.php");?> 
</div>
</div>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {var pageTracker = _gat._getTracker("UA-12575357-1");
pageTracker._trackPageview();
} catch(err) {}
</script>

</body>
</html>

<?php // Flush the buffered output.
ob_end_flush();
?>

 

This code is my checkuser.php

 

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
$enter_all = "Please enter ALL of the information.";
echo "Please enter ALL of the information! <br />";
include 'login_form.php';
exit();
}

// Convert password to md5 hash, don't forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);


// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
	$$key = stripslashes( $val );
}
	// Register some session variables!
	session_register('first_name');
	$_SESSION['first_name'] = $first_name;
	session_register('last_name');
	$_SESSION['last_name'] = $last_name;
	session_register('email_address');
	$_SESSION['email_address'] = $email_address;
	session_register('special_user');
	$_SESSION['user_level'] = $user_level;

	session_register('username');
	$_SESSION['username'] = $username;
	session_register('password');
	$_SESSION['password'] = $password;


	mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");

	//redirect to file login_success.php
	header("Location: login_success.php");
}
} else {
$not_loggedin = "You could not be logged in!  Either the username and password do not match or you have not validated your account!";
echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br />
Please try again!<br />";
include 'login_form.php';
}
?>

 

THANK YOU FOR ANY HELP!  Aubrey

I'll be out of town this weekend, so I will miss any quick replies