Secured area how to ?

[liefwin]

Hi,
I'm having a secured area where the username and pasw are stored in a MySql Db.
As i'm complete new i found this on the net and after a while i got it working :-)

How can i get a message or store details of users access (who, when, which page,...) to the protected area ?
Any help is more than welcome !
thx



this is the code i use in the connect.php
*********************************************************************************************************************
<?php
define ('DB_USER', '*************'); // Database User Name
define ('DB_PASSWORD', '***********'); // Database User Password
define ('DB_HOST', '**********'); // Host Name (mostly localhost)
$dbc = mysql_connect (DB_HOST, DB_USER, DB_PASSWORD); // Establishes connection
mysql_select_db(**************'); // database name to connect to

define(TABLE_NAME,'user'); // Table Name
define(USER_NAME,'username'); // Username Field Name
define(PASS_NAME,'password'); // Password Field Name
?>
**********************************************************************************************************************************

This is the code i use in the index.php page
**********************************************************************************************************************************
<?php
session_start();

//site_defines
$SECURED_PAGE = 'index2.php';

// If the form was submited check if the username and password match
if($_POST['submitid'] == 1){
//Call the database file
require_once("connect.php");
$username = $_POST['username'];
$password = $_POST['password'];
$user_query = @mysql_query("SELECT * FROM " . TABLE_NAME . " WHERE `" . USER_NAME . "`='$username' AND `" . PASS_NAME . "`='$password'");

if(@mysql_num_rows($user_query) > 0){
//Make sessions
$_SESSION['isloged'] = 'yes';
$_SESSION['username'] = $_POST[username];

// Redirect to the page
header("Location: $SECURED_PAGE");
exit();
} else {
$message = 'Uw username en/of password is niet correct !';
}
}
?>
<?php

//Check if we are displaying a message to the user:
if($message != NULL){?>
<table width="500" border="0" cellpadding="3" cellspacing="0" bgcolor="#CCCCCC" align="center">
<tr>
<td><div align="center"><strong><font color="#FF0000"><?=$message;?></font></strong></div></td>
</tr>
</table>
<?php } ?>
<form action="<? echo $_SERVER['PHP_SELF'];?>" method="post" name="adminlogin" id="adminlogin" style="display:inline;">
<br><br><br><br><table width="500" border="1" align="center" cellpadding="5" cellspacing="0" bordercolor="#336699">
<tr bgcolor="#99CCFF">
<td colspan="2"><div align="center"><strong>Please Login</strong></div></td>
</tr>
<tr>
<td width="47%"><strong>Username:</strong></td>
<td width="53%"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td><strong>Password:</strong></td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td colspan="2"><div align="center"><font face="Georgia, Times New Roman, Times, serif"><strong>
<input name="Submit" type="submit" id="Submit" value="Inloggen">
<input name="submitid" type="hidden" id="submitid" value="1">
</strong></font> </div></td>
</tr>
</table>
<p>&nbsp;</p>
</form>

[XenoPhage]

It sounds like you just want logging.. Based on the $_SESSION object, you can take the username and create a log entry each time a page is accessed by an authenticated user. Something like this :

[code]
session_start();

// Check to see if the user is logged in
if (! $_SESSION['islogged']) {
   header('/login.php');
   exit;
}

// Open the log file and write a log entry to it
fopen($logfile, 'a');
fwrite($logfile, $_SESSION['username'] . ' accessed page mypage.php');
fclose($logfile);

// Continue with the rest of what mypage.php should do
[/code]

I'm definitely no expert with file access as I don't use it very heavily, so there may be a better way to do the file handling bit. But, the above code should get your foot in the door...

Also note, the mere use of session_start() does not mean that you have a secure site. It's fairly easy to steal sessions. I use a SQL database to store additional information such as session ID, ip address, etc. to ensure that the session doesn't migrate somewhere else.

[liefwin]

Thx for your reply,

could you tell me how you do it as it seems a lot more secure as what i do ?

[XenoPhage]

Here's a link to the code I use : [a href=\"http://www.godshell.com/oss/secure-login.tar.gz\" target=\"_blank\"]http://www.godshell.com/oss/secure-login.tar.gz[/a]

Note : This is not for drop-in usage. It was written for a specific app. However, it should be relatively easy to change.