Jump to content

User only links?

melloorr

By melloorr
in PHP Coding Help

 Share

Recommended Posts

melloorr Member

melloorr

Posted
Posted

Hey everyone, I'm relatively new to php and I have created a basic login page on my site. It checks whether someone is logged in by searching for a cookie.

 

But I am wondering if there is a simple way to display content an link to only people who are logged in, and show user specific content based on who is logged it (much like forums - but not as complicated, just simple)

 

Thank you and its very much appreciated :)

Link to comment
Share on other sites
MasterACE14 Advanced Member

MasterACE14

Posted
Posted

need to use sessions, rather than only cookies.

 

basic example:

<?php 
session_start(); // start the session (needs to be at the top of each page(before output) that requires some kind of tracking, such as check user is logged in

$_SESSION['userid'] = $_POST['userid']; // this is how you would log in a user, use a form to submit their ID or whatever you uniquely identify them by

if(isset($_SESSION['userid'])) { // check they are logged in, if yes show the link and content
   echo "logged in";
} else {
  echo "not logged in"; // if not logged in, can redirect them to login page or something
}

?>

of course you need to add all the security as well.

 

You could simply do what RaythMistwalker mentioned:

If ($_COOKIE['COOKIE_NAME']) {
   Member Only Data Here
}

 

Most simplist way.

depends on what kind of content you're trying to hide from people that aren't suppose to be able to see it, cookies are easily manipulated.

Link to comment
Share on other sites
melloorr Member

melloorr

Posted
  • Author
Posted

Thanks for all the help. I am mainly using it so I can display the logout link if someone is logged in, and the login link if no-one is logged in, and also to show the logged in user their specific link (i.e. YouTube shows the link to my profile at the top of the page)

 

(Sorry if I have not explained it well)

 

This is the cookie code I have used:

$_POST['username'] = stripslashes($_POST['username']); 

	 $hour = time() + 3600; 

setcookie(ID_my_site, $_POST['username'], $hour); 

setcookie(Key_my_site, $_POST['pass'], $hour);

 

Taken from here: http://php.about.com/od/finishedphp1/ss/php_login_code_5.htm

 

So how would I add a uniqid() ?

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If you goal is to log someone in for the duration of one visit to your site (one browser session), you would use a session variable to remember that they have logged in. If your goal is to remember that someone is logged in across multiple visits to your site, read this post - http://www.phpfreaks.com/forums/index.php?topic=346586.msg1635843#msg1635843

 

Storing the actual username and password in plain text in cookies has at least one major security problem (anyone with access to the computer or to the data packets going back and forth can see and get the actual password) and just testing for the existence of a cookie to treat someone as being logged in will allow anyone to become logged in because they can simply set a cookie with any value.

 

Storing a unique id, that you generate on the server (and regenerate as needed), in a cookie virtually eliminates the possibility that someone can generate a value that will match an actual user (it is still possible to intercept that value and impersonate an actual user, but that is a different problem.)

Link to comment
Share on other sites
RaythMistwalker Regular Member

RaythMistwalker

Posted
Posted

What I do is set a cookie which contains a uniqid() which is also stored in a database to that user so if the cookie is edited the user is logged out.

 

thats a very cool way of doing it which i had never thought of before, i might just implement into my site.

^Also gives you the ability to log users out by simply removing it from the DB.

 

Now melloor,

Firstly, never save someones username/password in a cookie as cookies are easily intercepted and modified.

 

$_POST['username'] = stripslashes($_POST['username']); 

	 $hour = time() + 3600; 
         $Id = uniqid();

setcookie(ID_my_site, $Id, $hour);

 

Just remember to save $Id in a database as well. My login table has:

user_id (unique user_id for different users. NEVER CHANGES)

username

password (hashed)

unique_id - Where i save the id which will then be checked against the cookie when a page is loaded

Link to comment
Share on other sites
melloorr Member

melloorr

Posted
  • Author
Posted

Sorry for being needy, but...

 

How would I add this to my login script (whole login code is from the website I linked to in my last post)? I have added a column to my table called unique_id (correctly I think), but how would I go about adding a value to it when logging in and then adding the same value to the cookie, then deleting it when they log off?

Link to comment
Share on other sites
RaythMistwalker Regular Member

RaythMistwalker

Posted
Posted

Well you have the setcookie stuff already, so all you really have to do is take what I had before and so it'd be this:

 

$Username = stripslashes($_POST['username']); 

	 $hour = time() + 3600; 
         $Id = uniqid();
$InsertQry = "UPDATE tablename SET unique_id='{$Id}' WHERE username='{$Username}'";
setcookie(ID_my_site, $Id, $hour);

Link to comment
Share on other sites
melloorr Member

melloorr

Posted
  • Author
Posted

I still need help  :confused:

 

Would I need to replace the old cookie code for the new one, so it does not check for a password?

 

And

 

How would I go about checking the cookie to check they are logged in? This is the code that checks:

//checks cookies to make sure they are logged in 

if(isset($_COOKIE['ID_my_site'])) 

{ 

	$username = $_COOKIE['ID_my_site']; 

	$pass = $_COOKIE['Key_my_site']; 

	 	$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); 

	while($info = mysql_fetch_array( $check ))

 

It checks the password, but if you replace the old cookie code, then there is no password to check

Link to comment
Share on other sites
RaythMistwalker Regular Member

RaythMistwalker

Posted
Posted 

//checks cookies to make sure they are logged in 

if(isset($_COOKIE['ID_my_site']))  { 

	$cookie = $_COOKIE['ID_my_site']
        $check = mysql_query("SELECT * FROM users WHERE unique_id='{$cookie}'")or die(mysql_error()); 
        If ($check) { 
             $username = mysql_result($check, 0, 'username');
        }
        Else { setcookie('ID_my_site','',time()-3600); }
}

 

This checks the cookie and retrieves relevant username. It will also erase the saved cookie if result is not found so make sure it is above any output code

Link to comment
Share on other sites
  • 2 weeks later...
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If by encryption, you mean using md5 (which is actually hashing, not encryption) on the password and then storing the md5 value in a cookie, then NO that is not secure because with the power of today's computers, it is easy to come up with a starting value that produces a specific md5 value that would let someone log in using your log in form.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.