473,325 Members | 2,860 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

Authenticating Users

97 64KB
I'm trying to set up a really basic login system where the user logs in, but I want to set up some pages in the site so that there's a redirect to the login page if someone tries to access a protected page without being logged in.

So, this is how I'm checking the username and password:

Expand|Select|Wrap|Line Numbers
  1.  
  2. <?php
  3. session_start();
  4. include ('includes/DbCon.php');
  5.  
  6. // username and password sent from form 
  7. $user=$mysqli->real_escape_string($_POST['user']);
  8. $password=$mysqli->real_escape_string($_POST['password']);
  9.  
  10. $sql="SELECT * FROM xyz WHERE user='$user' and password='$password'";
  11. $result=$mysqli->query($sql);
  12.  
  13. // Mysqli_num_rows is counting table rows
  14. if(mysqli_num_rows($result) == 1){
  15.     $row = mysqli_fetch_array($result, MYSQLI_BOTH);
  16.  
  17. // Register $user, $password and redirect to admin area
  18.  
  19. $_SESSION['user']=="admin";
  20. $_SESSION['password']=="password";
  21.  
  22. echo '<script type="text/javascript">';
  23. echo 'document.location.href = "/pc.v.2/admin.php";';
  24. echo '</script>';
  25.  
  26. }
  27. else {
  28. echo '<script type="text/javascript">';
  29. echo 'alert("Invalid Username or Password");';
  30. echo 'history.back();';
  31. echo '</script>';
  32.  
  33. }
  34. mysqli_close($mysqli);
  35. ?>
  36.  
  37.  
And at the top of the protected pages, I've added this to check for session details:

Expand|Select|Wrap|Line Numbers
  1.  
  2. <?php
  3. session_start();
  4. if(!isset($_SERVER['PHP_AUTH_USER'])) {
  5. header("location:login.php");
  6. }
  7. else{
  8. echo '<script type="text/javascript">document.getElementsByClassName("login").innerHTML="Logout";</script>'; 
  9. echo "</script>";
  10. }
  11. ?>
  12.  
  13.  
But when I try to login, I just get redirected back to the login page. It seems like the authentication isn't communicating with the $_SESSION. Where am I going wrong here?
Jun 10 '15 #1
5 1496
Dormilich
8,658 Expert Mod 8TB
there are several things wrong.

- $_SERVER['PHP_AUTH_USER'] is used for HTTP Basic Authentication (which does not rely on sessions), not for form based logins.

- you should not rely on JavaScript based redirects. you can use PHP’s header() function for that.

- lines #19, #20 are completely useless.

- you never ever save a password itself (neither in a session nor in a database nor elsewhere), only its hash. use PHP’s password_hash() function for that.
Jun 12 '15 #2
tdrsam
97 64KB
I must admit that I'm not entirely sure about $_SERVER['PHP_AUTH_USER'] but it seems to work ok for the system I'm building, which is a very basic admin area, and only has one set of login details.

I had a lot of trouble with PHP header's. I kept getting errors, so I switched to javascript redirects which seem to work ok.

I checked on lines 19 & 20 and they actually do perform a function. At least line 19 does. I commented out both lines and was unable to use the login system (redirect back to login page after entering correct login details) so I put line 19 back and it's fine, so that line must be registering the session. Line 20 was useless though.

I'll probably set up the password hash before this goes live.

Thanks for the tips.
Jun 14 '15 #3
Dormilich
8,658 Expert Mod 8TB
I checked on lines 19 & 20 and they actually do perform a function.
then you have other lines.
Expand|Select|Wrap|Line Numbers
  1. $_SESSION['user']=="admin";
  2. $_SESSION['password']=="password";
does absolutely nothing. it’s the same as writing
Expand|Select|Wrap|Line Numbers
  1. 1 == 2;
I had a lot of trouble with PHP header's. I kept getting errors
that’s why you normally make the output the last thing in your script. (cf. IPO Model)
Jun 15 '15 #4
tdrsam
97 64KB
I could swear there were some other replies to this question that I can't find now. There was one explaining that those lines were incorrect because of the double equals signs. They needed single ones, which was correct. You're right about the second one (the password one), that was doing nothing.

I found I needed two headers in a single script, so I went with the j.s. redirects instead.
Jun 15 '15 #5
Dormilich
8,658 Expert Mod 8TB
There was one explaining that those lines were incorrect because of the double equals signs.
if those lines where in a comparison statement (e.g. if()) then there are some cases where it could make a difference (esp. when the session value is not a string).

I still say that the lines as posted do nothing at all.
Jun 15 '15 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

0
by: shalinmangar | last post by:
I want to authenticate users (defined in an Active Directory Service running on a Windows 2000 Server machine) from PHP Code running under Linux (Fedora Core 3 with Kerberos 5 installed). I just...
9
by: Sophia | last post by:
I need to authenticate users to enter in a NTLM-protected virtual directory, but I can't pop up a NT-login dialogue box - I can only do a web-based username/password form (my client is a...
18
by: Stanley J Mroczek | last post by:
I Set the EditCommandColumn to Visible=False to stop people who are not allowed to make any changes to a record. How can set it to Visible=true for some users? Please answer in VB Thanks Stan
1
by: Larry Rekow | last post by:
I created a web application in classic ASP 6 months ago that had a login page which would only allow certain users to add, update or delete files from 6 different departments. (Windows 2000 server,...
1
by: William Harazim | last post by:
Is there a way, having a user entered username and password, to select a single row from pg_shadow which is using md5 password encryption? I'm currently authenticating web users (.asp page) with...
2
by: Jr. BTS dev! | last post by:
Hello all, In my web app I want to authenticate users using the Windows NT user Groups they blong to. The app will be used internally. Users will all belong to the same domain Users are...
3
by: yojimbo4 | last post by:
Hi, im currently creating a website that requires a user to log in by entering their id number, middle name and birthday before they can use the site, i have been able to do that by using a cookie...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.