Hi there,
I have a question related to Session. I made a login screen and all pages except than the login page should be secure, so no one can access to any page unless access from the main login page, so I did this coding but even if someone checked the option of "Remember Me" and if he/she closed the browser and come back again he can enter access any pages because the Cookies is still available because I made it here for 2 hours so after that no one can access the page, and I made another Logout so if someone press it it will remove the cookies so has to login again. So any solution for the problem.
This code I putted in my important pages - <?php
-
include 'functions.php';
-
session_start();
-
if($_SESSION["a"]!=1)
-
{
-
header("location:index.php");
-
-
}
And this is my login screen. - <?php
-
include 'functions.php';
-
-
-
if ($_POST["login"])
-
{
-
global $username;
-
$username = $_POST['username'];
-
$password = $_POST['password'];
-
$rememberme = $_POST['rememberme'];
-
-
-
if($username&&$password)
-
{
-
-
$login = mysql_query("SELECT * FROM usersystem WHERE username='$username'");
-
while ($row = mysql_fetch_assoc($login))
-
{
-
$db_password = $row['userpass'];
-
if(md5($password)==$db_password)
-
$loginok = TRUE;
-
else
-
$loginok = FALSE;
-
-
if ($loginok==TRUE)
-
{
-
$_SESSION["a"] = 1;
-
if ($rememberme=="on")
-
setcookie("username", $username, time()+7200);
-
else if ($rememberme=="")
-
$_SESSION['username']== $username;
-
$_SESSION['username'] =$_POST['username'];
-
-
header("Location: redirectpage.php");
-
exit();
-
-
}
-
-
}
-
-
-
}
-
else
-
die("Please enter a username and password");
-
}
-
-
?>
-
9  3264 
I understand what you are trying to do, but what is your question??
I want when I check the "Remeber Me" I still able when I close the browser I can still to access any page, not returning me again to the first page of login screen. I hope it's clear. Thanks for your reply I appreciate your passing to my thread.
okay!! usually 'remember me' option is used to store the data in the client. Assuming you are storing the username and password, the next time you open your page the username and password is already filled in rather no need to type it again.
Now, when you close the browser, the session is destroyed, the next time you may have to login again to access your pages.
I think your program works correctly.
 Atli 5,058
Recognized Expert Expert
Hey.
To make a secure "remember me" feature, you need to create a cookie that contains data that only the logged in user could know. Normally, this is some sort of a hash compiled from the user login/personal data.
The general procedure is, at the top of every page: - Check if the user is already logged in, by checking if the session is set.
- If he is not, check if a "remember me" cookie is set.
- If it is, verify that the information in the cookie is correct, and log the user in if it is.
- Otherwise, if the page is meant to be secure, redirect the user to the login page.
For example, if your login routine looked something like this: - <?php
-
if(isset($_POST['name'], $_POST['password']))
-
{
-
$name = mysql_real_escape_string($_POST['name']);
-
$pwd_hash = hash('sha1', $_POST['password']);
-
-
$sql = "SELECT `id` FROM `user`
-
WHERE (`name` = '{$name}')
-
AND (`password` = '{$pwd_hash}')";
-
-
$result = mysql_query($sql) or trigger_error(mysql_error(), E_ERROR);
-
if(mysql_num_rows($result) == 1)
-
{
-
$row = mysql_fetch_assoc($sql);
-
-
session_start();
-
$_SESSION['user']['id'] = $row['id'];
-
$_SESSION['user']['name'] = $name;
-
-
if(isset($_POST['remember_me']))
-
{
-
// Create a "secure" hash that can be used to verify the user
-
// login later.
-
$cookie_hash = hash('sha512', $row['id'] . $name . $pwd_hash);
-
-
// Create two cookies. One to store the user ID (so it can be
-
// retrieved later to verify the hash), and one for the hash.
-
set_cookie('user_login_id', $row['id'], time() + (3600 * 24 * 30));
-
set_cookie('user_login_hash', $cookie_hash, time() + (3600 * 24 * 30));
-
}
-
}
-
else
-
{
-
echo "Login failed. Please try again!";
-
}
-
}
-
else
-
{
-
echo "Username and/or password were not passed.";
-
}
-
?>
You could use this function to verify if the user is logged in: - <?php
-
function isUserLoggedIn()
-
{
-
// Check if the user session already exists.
-
if(isset($_SESSION['user']))
-
{
-
return true;
-
}
-
-
// Look for a cookie from the "remeber me" feature.
-
else if(isset($_COOKIE['user_login_id'], $_COOKIE['user_login_hash']))
-
{
-
// Verify that the cookie data is valid
-
$id = (int)$_COOKIE['user_login_id'];
-
$hash = (string)$_COOKIE['user_login_hash'];
-
-
$sql = "SELECT `name`, `password`
-
FROM `user`
-
WHERE (`id` = {$id})";
-
$result = mysql_query($sql) or trigger_error(mysql_error(), E_ERROR);
-
if(mysql_num_rows($result) == 1)
-
{
-
$row = mysql_fetch_assoc($sql);
-
$real_hash = hash('sha512', $id . $row['name'] . $row['password']);
-
-
if($real_hash == $hash)
-
{
-
// Log the user in, so the cookie does not need to be
-
// checked on every page.
-
$_SESSION['user']['id'] = $id;
-
$_SESSION['user']['name'] = $row['name'];
-
-
return true;
-
}
-
}
-
}
-
-
// No login method available. User is not logged in.
-
return false;
-
}
-
?>
If would recommend making the cookie has a bit more complex though, by adding other data to the hash. The more complex and unpredictable, the better.
hello RomeoX,
Session is get created in server. The policy you have used is simple
1. check if the user is under session
2. if it is yes let the user access the desired page
3. else you redirect the user to log in page.
The question is how long session is valid?
The answer is inserted in the php.ini
by default it is 20 munites. so, in general, after logging in a user will be able to use the same session(without knowing ;) ) for 20 munites. But if you dont update session in server site the user will be logged out even if he was using continuously.
after first log in, if a user close its browser and then reopen it, he may work using the previous session. because he did close his browser but he didnt turned off the session (cause session is working in the server).
I am not sure if this is possible,
Can you add a javascript code that will work on browser closing. Say if a browser close events occur simply create a AJAX request with sign out information. It may help.
But in the current browser like firefox or ie. If you close entire browser and reopen it, you actually wont get the previous session. so I guess you can tell me what browser you are using.
Best Regards,
Johny
 kovik 1,044
Recognized Expert Top Contributor
Well, "Remmber Me" and "Stay Logged In" are 2 different things.
"Remember Me" just saves their username. This can be done easily by simply setting a "username" variable in their cookies and automatically loading it into the username field.
However, the "Stay Logged In" functionality is more in-depth. You don't want to use a pre-compiled hash as ~Atli suggested. If anyone were to discover this hash (i.e. a hacker, a friend of the user who is experienced with cookie manipulation, etc.), they could copy it and use it. You do want to use a similar method, but you'll want to make it different every time that they log in.
Basically, you'll want to have an extra database column in your user's table that saves their current "auto_login " code. Any time that they visit your website and they are not logged in, check the "auto_login " code from their cookie to the "auto_login " code in the database. If they are the same, log the user in and change the code to a new, randomly generated code and save it in both locations. If the code is invalid, simply delete the cookie.
I've heard of programmers wanting to penalize people with incorrect "auto_lgin" codes in their cookies, assuming it was a failed hacking attempt, but what if you log in from work, then again from home? Of course, if you wanted to, you could save multiple "auto_login " codes, but that starts to whittle down your security measures.
Thanks a lot to everyone provide me a suggestions. Actually I use IE8.
Actually I don't know how I can make an auto login code so it will make comparative to cookies, if you have something hopefully you post it here.
Anyway, Thanks to you
Atli 5,058
Recognized Expert Expert @kovik
Your right. That is a much better method. It costs you a bit of space, but is a LOT more secure... Can't believe I didn't think of that xD @RomeoX
The worst mistake a web-developer makes... or anybody, for that matter.
Get Firefox or Chrome. It's better for you, AND it's better for everybody else ;-)
But how to check login status and what values we should send to database..Plz give example with code so that we can understand..I will be thankfull to you
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: |
last post by:
Please help.
After a number of wrong turns and experiments I need advice on login
management system to secure our web pages without inconveniencing our
visitors or our internal staff.
What I need:
A system whereby the user only has to register ONCE and he will have
automatic entry to ANY page without havinto to RE-LOGIN even if he comes in
|
by: Astra |
last post by:
Hi All
I know this probably sounds like a newbie question, but I was under the
impression that secure pages (https) don't appear in the history/address bar
history list - this appears to be incorrect?
Should I really be putting some form of expiry command at the head of each
of these pages if I don't want casual users to see them?
I use Classic ASP so is it better to use a command via this lang or the old
|
by: Pooja Renukdas |
last post by:
Hello,
I have this web site where only two pages have to be secure pages and
I need to call them using https, but since I have my development
server and my production web server, I dont want to enter the absolute
url like
response.redirect("https://myProductionServer.com/SecurePage.aspx"),
because when Im working in the development server I would have to
change it back and forth everytime. Is there an easy way to do this
without having...
|
by: Seth |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side. I need to do this because I can not
reference the non-secure cookie...
|
by: Daniel Malcolm |
last post by:
Hi
I have a site where I would like some pages to be accessed via SSL (login
and payment etc) and others via regular http. However I'm not sure whether
Session state can be maintained between the 2 protocols.
We have SSL set up on the site so that it can be accessed via the same
domain:
http://www.mydomain.com/login.aspx
| | |
by: Joe |
last post by:
I have an application which runs in a non-secure environment. I also have an
application that runs in a secure environment (both on the same machine). Is
there any way to share the session data for this?
Most of the site allows the user to add things to a cart (non-secure), once
they choose to check-out, I need this information which was stored in the
session to be read by the payment page(secured).
Hope this makes sense. It's probably...
|
by: Notgiven |
last post by:
I am considering a large project and they currently use LDAP on MS platform.
It would be moved to a LAMP platform. OpenLDAP is an option though I have
not used it before. I do feel fairly confortable with my ability to use
SESSIONS for authentication and access control.
Would it better to learn and use LDAP or can you REALLY have just as secure
authentication and access control using Sessions?
Thanks for your thoughts and experience.
|
by: knal |
last post by:
Hi there,
I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them really
seem secure, or have other kind of flaws (like IP based login etc.).
Why i'm asking here, is because there's experience out there, and i
hope experience can tell me what my best shot is. I'm aware that i will
very probably have to do...
|
by: Harris Kosmidhs |
last post by:
Hello,
while I'm developing sites for some time I never coded a login form with
security in mind.
I was wondering what guidelines there are.
For my point of view I'm thinking of using md5 passwords (it's an one
way function right?) in db. Is this a correct approach?
|
by: bizt |
last post by:
Hi,
I have a webpage where Im creating AJAX type requests by loading
dynamic pages containg JavaScript into hidden iFrames. The reason I am
opting for this method over XmlHttpRequest object requests is because
I wish for some of my requests to be over a secure https:// connection
and other not so private requests to be made over http:// .. using
XmlHttpRequest I am unable to make requests between two domains http/
https from the one...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
