cluce Posted June 7, 2007 Share Posted June 7, 2007 I have a login script that checks the username and password in a database and checks for a match if so it gives them access to a web page if not it redirects them back to the login page and gives them an error. But I found out if the user types in the web address of that authorized web page it will display in the browser anyway. Can someone tell me how to secure this? Do I use IP address, sessions, cookies, etc..??? What would be the most effecient way. here is my login script......... <?php //initialize the session if (!isset($_SESSION)) { session_start(); } //connect to server and select database $mysqli = mysqli_connect("localhost", "root", "", "test"); //trims and strips tags $checkuser = trim(strip_tags($_POST['username'])); $checkpassword = trim(strip_tags($_POST['password'])); //create and issue the query $sql = "SELECT username, f_name, l_name FROM auth_users WHERE username = '$checkuser' AND password = sha1('$checkpassword') LIMIT 1"; $result = mysqli_query($mysqli, $sql); //gets number of unsuccessful logins $sql1 = ("SELECT failed_logins FROM auth_users WHERE username = '$checkuser' LIMIT 1"); $result1 = mysqli_query($mysqli, $sql1); $resultarr = mysqli_fetch_assoc($result1); $attempts = $resultarr["failed_logins"]; //disables user if failed logins >= 3 if ($attempts >= 3){ //records unsuccessful logins $sql1 = "UPDATE auth_users SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql1); $_SESSION['disabled'] = "<font color='red'>Your account has been disabled.<br>Please contact....$attempts</font>"; header("Location: Account_login.php"); exit(); } else { //get the number of rows in the result set; should be 1 if a match if (mysqli_num_rows($result) == 1) { //if authorized, get the values of f_name l_name while ($info = mysqli_fetch_array($result)) { $f_name = stripslashes($info['f_name']); $l_name = stripslashes($info['l_name']); } //set authorization cookie setcookie("auth", "1", 0, "/", "mydomain.com", 0); $_SESSION['usersname'] = $f_name . " " . $l_name; //record last login $sql2 = "UPDATE auth_users SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql2); //clears failed logins $sql3 = "UPDATE auth_users SET failed_logins = 0 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli, $sql3); //directs authorized user header("Location: logon.php"); exit(); } else { //records unsuccessful logins $sql4 = "UPDATE auth_users SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql4); //stores a session error message $_SESSION['error'] = "<font color='red'>Invalid username and/or password combination<br>Please remember that your password is case sensitive.</font>"; //redirect back to login form if not authorized header("Location: Account_login.php"); exit; } } ?> Quote Link to comment Share on other sites More sharing options...
chrisuk Posted June 7, 2007 Share Posted June 7, 2007 What I would do is have a "logged_in" session variable which get set to true on sucessful login then at the top of each page....if "logged_in" not equal to true....destroy and redirect to homepage. Quote Link to comment Share on other sites More sharing options...
chrisuk Posted June 7, 2007 Share Posted June 7, 2007 to expand: first you need to create the session when the user is authenticated: //if authenticated: $_SESSION['loggedin'] = "yes"; $_SESSION['id'] = $username; $sess_id = session_id(); session_write_close(); //anything else you want to do then at the top of every page, you could simply have: session_start(); if ( @$_SESSION['loggedin'] != "yes" ) { header ("Location: login.php"); exit(); } note: NOTHING should go before session_start(); Hope this helps Quote Link to comment Share on other sites More sharing options...
cluce Posted June 8, 2007 Author Share Posted June 8, 2007 thanks thats exactly what I was thinking Quote Link to comment Share on other sites More sharing options...
cluce Posted June 8, 2007 Author Share Posted June 8, 2007 this doesn't work in firefox only IE. Anybody knows why this is??? Quote Link to comment Share on other sites More sharing options...
chrisuk Posted June 13, 2007 Share Posted June 13, 2007 this doesn't work in firefox only IE. Anybody knows why this is??? This worked in both browsers for me. Perhaps a firefox setting is the problem? Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted June 13, 2007 Share Posted June 13, 2007 Do you have cookies disabled in firefox? Quote Link to comment Share on other sites More sharing options...
cluce Posted June 13, 2007 Author Share Posted June 13, 2007 no, I figured out what was going on. Firefox has a session manager that saves the sessions. Which I think is not secure ifon a public computer. Quote Link to comment Share on other sites More sharing options...
cluce Posted June 13, 2007 Author Share Posted June 13, 2007 I made a mistake. This is why it wasn't working in firefox...... header("Cache-control: must-revalidate"); so I deleted it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.