Authentication Code

[pedromsouza]

Hi!

 

I wanted to develop a code for authentication... I have to allow/deny access to some pages according to user's login. And users that didn't login shouldn't have access to any page but the first one. I created simples pages for explaining...

PS: "senha" means "password" (portuguese).

 

I created a page called "pre_index.html". Anyone should be able to access this one. It contains a form where users can insert login and password. After submitting, it would automatically lead to "index.php", the page for registered users only.

 

So... this is pre_index.html:

<code>

<xhtml>

<head>

<title>Pagina Teste</title>

</head>

<body>

<form action= method="post">

<input type="text" name="login">Login: </input>

<input type="pwd" name="senha">Senha: </input>

</form>

</body>

</xhtml>

</code>

 

The form send data to "login.php";

<code>

<xhtml>

<head>

<title>Pagina Teste</title>

</head>

<body>

<?php

//recuperando valores do formulario

$login=$_POST["login"];

$senha=$_POST["senha"];

//conectando ao banco de dados

include "include_conect_bd.inc";

//verificando valores

$verif = mysql_query ("select * from usr where login = '$login' and senha = '$senha'");

$verif2 = mysql_num_rows($verif);

//gerando cookies

if($verif2!=0)

{echo "Login realizado com sucesso!<br>";

setcookie("login",$login);

setcookie("senha",$senha);}

elseif($verif2==0)

{echo "Login não realizado, verifique login e senha.<br>";

setcookie("login");

setcookie("senha");

header ("location: index.php");}

?>

</body>

</xhtml>

</code>

 

"login.php" leads to "index.php";

<code>

<?php include "include_verif_cookie.inc"; ?>

<xhtml>

<head>

<title>Pagina Teste dos Usuarios Logados</title>

</head>

<body>

<div>

<ul>

<li><a href="#">Home</a></li>

<li><a href="#">Um</a></li>

<li><a href="#">Dois</a></li>

</ul>

</div>

</form>

</body>

</xhtml>

</code>

 

"index.php" contains an include that should check if user is registered (and allow/deny access to "index.php")

so, the include...

<code>

<?php

include "include_database_db.inc";

if(isset($_COOKIE["login"])

{$login = $_COOKIE["login"];}

if(isset($_COOKIE["senha"])

{$senha = $_COOKIE["senha"];}

?>

</code>

 

#1: is it correct?

#2: how can I send user back to "pre_index.html" if he is not logged in?

#3: is it safe enough?

 

Thanks in advance!

 

 

 

 

[zenlord]

That is a very basic login-form, so it probably is not safe enough. But a few pointers:

 

stick to 1 page, index.php, in which you make 2 divisions (pseudo-code follows):

 

if isset $_COOKIE['senha']:

-> user is logged in and gets to see the page for logged users

 

else

-> visitor gets to see login form

 

Next: read up on sessions, cookies and use a fwe of the examples out of the php.net-examples and user contributions...

 

Vincent

[pedromsouza]

Thanks Vincent,

 

I wrote this include to switch between index.php and login.php according to cookie's data. Is it ok if I put this in every page?

 

I'll read later about enhancing security but now I just have to make "basic login function" work.

 

Include...

<?php

$erro==0;

include "include_database_db.inc";

if(isset($_COOKIE["login"])

{$login = $_COOKIE["login"]; $erro==0;}

elseif(isset($_COOKIE["senha"])

{$senha = $_COOKIE["senha"]; $erro==0;}

else {$erro==1;exit;}

 

if($erro!=0)

{header ("Location: login_page.php");}

else {header ("Location: index.php"); exit;}

?>

[zenlord]

looks correct - you don't need the last 'exit' - it never gets executed.

 

V