multiple user password protection

"Lou" <lo****@msc-ltd.co.uk> wrote in message news:35**************************@posting.google.c om...

Please can someone put me out my misery!
Im trying to find a multiple user/password protection script that will
redirect the specific user to a specific directory. [...] L

make a link to a page call login.php?ref=X.php

where X.php is the referring page

then save the code below as login.php

It works for me..., but I am only a beginner.
<?php

$front = '<!--start-->'; //put the start of your html file here....

$end = '<!---end-->'; //put the end your html file here
?>
<?php
if ($HTTP_POST_VARS["username"]=="") {
echo $front;
?>
<H1>Login to myurl.com</H1>
Please enter your details below:<BR>
<FORM METHOD="post" ACTION="login.php?ref=<?php echo $ref; ?>" ID="frm">
<LABEL CLASS="mul">Username: <INPUT TYPE="text" NAME="username" SIZE="20" ID="username"></LABEL>
<LABEL CLASS="mul">Password: <INPUT TYPE="password" NAME="password" SIZE="15" ID="password"></LABEL><BR><BR>
<DIV STYLE="text-align: center;">
<INPUT TYPE="Submit" VALUE="log in" ID="submit" NAME="submit" CLASS="submit">
</FORM>
<?php echo $end; ?>
<?php
}
else{
// __________________________________________________ _____ clean out previous entries
session_register("permission");
session_register("username");

$username=$HTTP_POST_VARS["username"];
$password=$HTTP_POST_VARS["password"];
$permission = 0;
session_start();
if ($username=="login" AND $password=="password"){ $permission = 1;}
if ($username=="secondlogin" AND $password=="masterpassword"){ $permission = 2;}
//etc...
$username=$HTTP_POST_VARS["username"];
session_register("permission");
session_register("username");
if ($permission > 0){
session_start();
echo $front;
?>
<H1>welcome <?php echo $username; ?></H1>

<?php
if (strpos($ref, '.php') === false) {
$ref .= '.php?';
}
echo 'Congratulations, login correct. <A HREF="'.$ref.'&amp;PHPSESSID='.session_id().'">Ple ase continue</A>.';
echo $end;
?>
<?php
}
else{
?>
<?php echo $front; ?>
<H1>please try again <?php echo $username; ?></H1>
Sorry: login NOT correct. <A HREF="login.php<?php echo '?ref='.$ref; ?>">Please try again</A>.
<?php echo $end; ?>
<?php
}
?>
<?php
}
?>

Then, in other pages, that you want to password protect, you put.

<?php
session_start();
if ($permission < 1) {
echo 'please <A HREF="login.php?ref=mypage.php">login first</A>';
}
else {
[rest of the page.....]
}

Note that for this way you do need to use sessions... how they work, I have no idea, but they seem to work for me ... lol

- Nicolaas

Don't do it this way. If register globals is turned on, visitors can simply
go to one of your "password protected" pages, add "?permission=1" to the URI
and they will be allowed in.

- Kevin

"WindAndWaves" <ac****@ngaru.com> wrote in message
news:l5********************@news.xtra.co.nz...

"Lou" <lo****@msc-ltd.co.uk> wrote in message
news:35**************************@posting.google.c om...

Please can someone put me out my misery!
Im trying to find a multiple user/password protection script that will
redirect the specific user to a specific directory.

[...]

L

make a link to a page call login.php?ref=X.php

where X.php is the referring page

then save the code below as login.php

It works for me..., but I am only a beginner.
<?php

$front = '<!--start-->'; //put the start of your html file here....

$end = '<!---end-->'; //put the end your html file here
?>
<?php
if ($HTTP_POST_VARS["username"]=="") {
echo $front;
?>
<H1>Login to myurl.com</H1>
Please enter your details below:<BR>
<FORM METHOD="post" ACTION="login.php?ref=<?php echo $ref; ?>"
ID="frm">
<LABEL CLASS="mul">Username: <INPUT TYPE="text" NAME="username"
SIZE="20" ID="username"></LABEL>
<LABEL CLASS="mul">Password: <INPUT TYPE="password" NAME="password"
SIZE="15" ID="password"></LABEL><BR><BR>
<DIV STYLE="text-align: center;">
<INPUT TYPE="Submit" VALUE="log in" ID="submit" NAME="submit"
CLASS="submit">
</FORM>
<?php echo $end; ?>
<?php
}
else{
// __________________________________________________ _____ clean out
previous entries
session_register("permission");
session_register("username");

$username=$HTTP_POST_VARS["username"];
$password=$HTTP_POST_VARS["password"];
$permission = 0;
session_start();
if ($username=="login" AND $password=="password"){ $permission = 1;}
if ($username=="secondlogin" AND $password=="masterpassword"){
$permission = 2;}
//etc...
$username=$HTTP_POST_VARS["username"];
session_register("permission");
session_register("username");
if ($permission > 0){
session_start();
echo $front;
?>
<H1>welcome <?php echo $username; ?></H1>

<?php
if (strpos($ref, '.php') === false) {
$ref .= '.php?';
}
echo 'Congratulations, login correct. <A
HREF="'.$ref.'&amp;PHPSESSID='.session_id().'">Ple ase continue</A>.';
echo $end;
?>
<?php
}
else{
?>
<?php echo $front; ?>
<H1>please try again <?php echo $username; ?></H1>
Sorry: login NOT correct. <A HREF="login.php<?php echo
'?ref='.$ref; ?>">Please try again</A>.
<?php echo $end; ?>
<?php
}
?>
<?php
}
?>

Then, in other pages, that you want to password protect, you put.

<?php
session_start();
if ($permission < 1) {
echo 'please <A HREF="login.php?ref=mypage.php">login first</A>';
}
else {
[rest of the page.....]
}

Note that for this way you do need to use sessions... how they work, I
have no idea, but they seem to work for me ... lol

- Nicolaas

"Kevin" <ke***@wxREMOVE4SPAM3.com> wrote in message news:z8********************@comcast.com...

Don't do it this way. If register globals is turned on, visitors can simply
go to one of your "password protected" pages, add "?permission=1" to the URI
and they will be allowed in.

True Kevin - is there a way of preventing this from happening? Could I say something like if session("permission) < 1 then lockout?

This could be easily provented by referring the session variable as
$_SESSION["variable_name"] instead of $variable_name.

If you are using sessions for authentication, I would recommend revalidating
the session's login information on each request (i.e., put the username &
password submitted into the session and check it each time) for two reasons:

1) If, for some reason, a page fails to call session_start(), a user can
populate the $_SESSION array from a query.
- and -
2) Let's say you delete a user from wherever you're storing user data
(database, file, etc.) If you validate on every request, they next time
s/he tries to do something, they will be stopped. If you trust a permission
variable stored in their session, they can continue doing whatever they want
until their session expires.

So I would instead put the "username" and "password" submitted into the
session and check it every time. Alternately use PHP with HTTP
authentication:
http://us2.php.net/manual/en/features.http-auth.php

- Kevin

"WindAndWaves" <ac****@ngaru.com> wrote in message
news:Iz********************@news.xtra.co.nz...

"Kevin" <ke***@wxREMOVE4SPAM3.com> wrote in message
news:z8********************@comcast.com...

Don't do it this way. If register globals is turned on, visitors can
simply
go to one of your "password protected" pages, add "?permission=1" to the
URI
and they will be allowed in.

True Kevin - is there a way of preventing this from happening? Could I
say something like if session("permission) < 1 then lockout?

Lou wrote:

Please can someone put me out my misery!
Im trying to find a multiple user/password protection script that will redirect the specific user to a specific directory.

Google is your friend <http://www.google.com/search?q=php+login>

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/