I'm trying to set up a really basic login system where the user logs in, but I want to set up some pages in the site so that there's a redirect to the login page if someone tries to access a protected page without being logged in.
So, this is how I'm checking the username and password: -
-
<?php
-
session_start();
-
include ('includes/DbCon.php');
-
-
// username and password sent from form
-
$user=$mysqli->real_escape_string($_POST['user']);
-
$password=$mysqli->real_escape_string($_POST['password']);
-
-
$sql="SELECT * FROM xyz WHERE user='$user' and password='$password'";
-
$result=$mysqli->query($sql);
-
-
// Mysqli_num_rows is counting table rows
-
if(mysqli_num_rows($result) == 1){
-
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
-
-
// Register $user, $password and redirect to admin area
-
-
$_SESSION['user']=="admin";
-
$_SESSION['password']=="password";
-
-
echo '<script type="text/javascript">';
-
echo 'document.location.href = "/pc.v.2/admin.php";';
-
echo '</script>';
-
-
}
-
else {
-
echo '<script type="text/javascript">';
-
echo 'alert("Invalid Username or Password");';
-
echo 'history.back();';
-
echo '</script>';
-
-
}
-
mysqli_close($mysqli);
-
?>
-
-
And at the top of the protected pages, I've added this to check for session details: -
-
<?php
-
session_start();
-
if(!isset($_SERVER['PHP_AUTH_USER'])) {
-
header("location:login.php");
-
}
-
else{
-
echo '<script type="text/javascript">document.getElementsByClassName("login").innerHTML="Logout";</script>';
-
echo "</script>";
-
}
-
?>
-
-
But when I try to login, I just get redirected back to the login page. It seems like the authentication isn't communicating with the $_SESSION. Where am I going wrong here?
5 1503 Dormilich 8,658
Recognized Expert Moderator Expert
there are several things wrong.
- $_SERVER['PHP_AUTH_USER'] is used for HTTP Basic Authentication (which does not rely on sessions), not for form based logins.
- you should not rely on JavaScript based redirects. you can use PHP’s header() function for that.
- lines #19, #20 are completely useless.
- you never ever save a password itself (neither in a session nor in a database nor elsewhere), only its hash. use PHP’s password_hash() function for that.
I must admit that I'm not entirely sure about $_SERVER['PHP_AUTH_USER'] but it seems to work ok for the system I'm building, which is a very basic admin area, and only has one set of login details.
I had a lot of trouble with PHP header's. I kept getting errors, so I switched to javascript redirects which seem to work ok.
I checked on lines 19 & 20 and they actually do perform a function. At least line 19 does. I commented out both lines and was unable to use the login system (redirect back to login page after entering correct login details) so I put line 19 back and it's fine, so that line must be registering the session. Line 20 was useless though.
I'll probably set up the password hash before this goes live.
Thanks for the tips.
Dormilich 8,658
Recognized Expert Moderator Expert
I checked on lines 19 & 20 and they actually do perform a function.
then you have other lines. - $_SESSION['user']=="admin";
-
$_SESSION['password']=="password";
does absolutely nothing. it’s the same as writing
I had a lot of trouble with PHP header's. I kept getting errors
that’s why you normally make the output the last thing in your script. (cf. IPO Model)
I could swear there were some other replies to this question that I can't find now. There was one explaining that those lines were incorrect because of the double equals signs. They needed single ones, which was correct. You're right about the second one (the password one), that was doing nothing.
I found I needed two headers in a single script, so I went with the j.s. redirects instead.
Dormilich 8,658
Recognized Expert Moderator Expert
There was one explaining that those lines were incorrect because of the double equals signs.
if those lines where in a comparison statement (e.g. if()) then there are some cases where it could make a difference (esp. when the session value is not a string).
I still say that the lines as posted do nothing at all.
Sign in to post your reply or Sign up for a free account.
Similar topics |
by: shalinmangar |
last post by:
I want to authenticate users (defined in an Active Directory Service
running on a Windows 2000 Server machine) from PHP Code running under
Linux (Fedora Core 3 with Kerberos 5 installed). I just want to find
out whether a particular user (with a given username, password
combination) exists or not. Then I will login that user into my
intranet...
|
by: Sophia |
last post by:
I need to authenticate users to enter in a NTLM-protected virtual directory,
but I can't pop up a NT-login dialogue box - I can only do a web-based
username/password form (my client is a "usability" firm!). After searching
and searching, I finally found up with this solution to use ADSI to
authenticate users transparently:
...
|
by: Stanley J Mroczek |
last post by:
I Set the EditCommandColumn to Visible=False to stop people who are not
allowed to make any changes to a record. How can set it to Visible=true for
some users? Please answer in VB
Thanks
Stan
|
by: Larry Rekow |
last post by:
I created a web application in classic ASP 6 months ago that had a
login page which would only allow certain users to add, update or
delete files from 6 different departments. (Windows 2000 server, NTFS,
IIS5, not using Active Directory. After users are challenged for basic
windows authentication, they get to the login page.)
At the time, I...
|
by: William Harazim |
last post by:
Is there a way, having a user entered username and password, to select a single row from pg_shadow which is using md5 password encryption?
I'm currently authenticating web users (.asp page) with our own user table that uses crypt() to store passwords. I'd like to remove our 'redundant' user table and use pg_shadow. The authentication function...
| |
by: Jr. BTS dev! |
last post by:
Hello all,
In my web app I want to authenticate users using the Windows NT user
Groups they blong to.
The app will be used internally.
Users will all belong to the same domain
Users are separated by groups
In more details I want to know if the user is administrator, users,
customer service (a windows group i create) and so on.
I tried...
|
by: yojimbo4 |
last post by:
Hi, im currently creating a website that requires a user to log in by entering their id number, middle name and birthday before they can use the site, i have been able to do that by using a cookie (FormsAuthentication.SetAuthCookie), the problem is that some people are not able to log into my site, it seems that the browser blocks the cookie that...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
| |
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |