User Authentication Page

[jse2n36e]

Heya,

    So I just finished my first shopping cart complete with it's own basic CMS so my client can add, edit & remove products. Only problem is, that page isn't protected, so I need to do two things as far as I can see:

 

1. Create an encryped user authentication page that requires a simple username and password.

2. And a snippet that denies access to the page unless you're logged in.

 

    From my experience, I don't think this should be much more than a page or two of code at worst, I'm intent upon writing it myself too, so I guess I'm looking for someone who can reference me to a solid PHP & MySQL tutorial for this?

    Thanks!

 

Spence

[slushpuppie]

authenticateUser(); // put at the top of page that requires authentication

 

//include a function like this:

function authenticateUser(){

## check if user session has been set

if($_SESSION['valid_user'] == true){

## check if user session ip equals current ip

if ($_SESSION['user_ip'] != $_SERVER['REMOTE_ADDR']){

exit("Your session has been hijacked");

}

return true;

}else{

## page to redirect to if user session not set

header('location: login.php');

}

}

 

a function i've used a few times.

[slushpuppie]

as far as loggin in, compare the input of username and password by comparing against the database, something like this:

 

while($row = mysql_fetch_array($result)) {

unset($_SESSION['loginErrorMessage']);

if($user_name == $row['user_name']){

if(md5($password) == $row['user_pass']){

## if login is successful set all the session variables

$loginID = $row['id'];

$_SESSION['valid_user'] = true;

$_SESSION['user_name'] = $row[1];

$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];

unset($_SESSION['loginErrorMessage']);

unset($_SESSION['timeoutErrorMessage']);

unset($_SESSION['failedAttempts']);

unset($_SESSION['timeoutRetryTime']);

## record date last login date

$sql_last_login = "UPDATE $db_name SET $db_lastlogin=NOW() WHERE $db_id='$loginID'";

mysql_query($sql_last_login) or die("Select Failed P-002<br />");

## page to redirect to when login is successful

header('location: index.php');

}else{

## login failed: bad password

// record in database

## display error message

$_SESSION['loginErrorMessage'] = $loginErrorMessage;

}

}else{

## login failed: username not found

## display error message

$_SESSION['loginErrorMessage'] = $loginErrorMessage;

}

}

[alexander007]

Something very simple...

 

<?php
include"../include/config.php";
$tbl_name="login";

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
$username=$_POST['username'];
$password=$_POST['password'];
$encrypted_password=md5($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$encrypted_password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1){
// Register $username, $password and redirect to file "menu.php"
session_register("username");
session_register("password");
header("location:sistema.html");
}
else {
echo "Wrong Username or Password";
}
?>

 

At top of every page

<?php
session_start();
if(!session_is_registered(username)){
header("location:../admin/");
}

 

Logout

<?php
session_start();
session_destroy();
header("location:../admin");
?>