Page 1 of 2 12 LastLast
Results 1 to 16 of 20

Thread: Login and session handling management

  1. #1
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts

    Login and session handling management

    Well i'm trying to devise a system that lets me log in and handles sessions using PHP and mySQL.

    All I want is a system that lets me login (this is for my website) and generally access certain pages whilst being logged in. I'm using the switch function to load my pages as well if that's any help.

    I have a good load of knowledge in programming although this kind of stuff just plain annoys me as i'm not familiar with the syntax, the standard library in PHP or generally what i'm doing. This is what i've got so far:

    PHP Code:

    <form>
    Username:<br />
    <input type="text" name="uname">
    <br /><br />
    Password:<br />
    <input type="password" name="pword">
    <br /><br />
    <input type="submit" name="_login">
    </form>

    <?php

        $link 
    mysql_connect("localhost""x""x")
            or die(
    "Could not connect : " mysql_error());
        
    mysql_select_db("x") or die("Could not select database");

    $uname $_GET['uname'];
    $pword $_GET['pword'];
    $_login $_GET['login'];

    if(
    $_login == && mysql_query("SELECT `ID, name, password` FROM `user` WHERE user='$uname' AND password='$pword', $link")) {

        
    $_SESSION['user'] = $uname;
        
    $_SESSION['password'] = $pword;

    }

    ?>
    This just lobs all of the information in the arguement of the if statement into the header so I end up with "admin.php&uname=blah&pword=blah&_login=" (where's the 1?). I don't know if it has worked or not and i need to start the session on every page of the admin section of my site i visit typically done using the session_start() function although apparently you need to edit your php.ini file to allow session functions to work (i have no idea how to do this).

    Any help would be real nice

  2. #2
    Commander Keen
    Join Date
    Nov 2003
    Location
    217.27.240.214
    Posts
    624
    Thanks
    0
    Thanked
    0 times in 0 posts
    first line of all php pages that want to use sessions on should be

    <? session_start(); ?>

    This is confusing because after the homepage <- where u first "start the session" -> on all other pages you really want to "Continue using the session". take it as read that it needs to be included.

    I guess that the "<form>" line is on an html page.. and that it appropriately submits to the php code ?

    ie. form tag is like this.
    <FORM METHOD=GET ACTION="validate_login.php">

    and php as above is in a file called validate_login.php or something...

    If u change method to 'post' it will hide the details from the address bar. Just a personal preference really. I like my adress bars tidy

    U can access the variables using these lines now.

    $uname=$_POST['user'];
    $pword = $_POST['pword'];
    $_login = $_POST['login'];

    test these values using these..

    echo $uname . "<br>" . $pword . "<br>" . $_login ;

    if any of them do not appear then something is wrong.

    ON another note. I personally don't think that _login should have a value associated with it because it is just a submit button. I don't know why you are trying to use it. I might be missing the point though.

  3. #3
    Commander Keen
    Join Date
    Nov 2003
    Location
    217.27.240.214
    Posts
    624
    Thanks
    0
    Thanked
    0 times in 0 posts
    did u get this sorted mate ?

    I had made a better second post with a little code but apparently I got distracted before I submitted it

    Basically I think the '1' from the submit button will not happen. I could post a generic script and form if u like. Setting the password into a session is a bit dogy really.

    And the sql could be cut down to ..

    SELECT * FROM 'user' WHERE user='$uname' AND password='$pword' ;
    Then if the result set has one row the user is valid. Otherwise they don't exist. Or you have multiple users with the same name and password <- should not be possible if u specify that the username entry in the db is "UNIQUE".

    Just some more thoughts really

  4. #4
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    Hey, sorry, I ended up giving up on it but wil revise it again. I haven't had time yet but I can see what you mean there. I've already created the table with the password and username etc in it. There's not many pages to it. If i use session_start(); at the top of the page and the user is not active with that session what would it do?

  5. #5
    HEXUS.net Webmaster
    Join Date
    Jul 2003
    Location
    UK
    Posts
    3,108
    Thanks
    1
    Thanked
    0 times in 0 posts
    Setting the password into a session is a bit dogy really.
    Why ? As long as you apply a little encryption like md5 it's perfectly secure. Even if it isn't encrypted it's not the end of the world for small scale applications. As long as the session ID isn't in the URL then session hijacking should prove quite difficult

    If i use session_start(); at the top of the page and the user is not active with that session what would it do?
    Create a blank session for that user with no information in it other than the current session ID

  6. #6
    Commander Keen
    Join Date
    Nov 2003
    Location
    217.27.240.214
    Posts
    624
    Thanks
    0
    Thanked
    0 times in 0 posts
    RE the password.. I just don't see what job it serves after the user is authenticated. Thats all. Passwords should always be md5

  7. #7
    HEXUS.net Webmaster
    Join Date
    Jul 2003
    Location
    UK
    Posts
    3,108
    Thanks
    1
    Thanked
    0 times in 0 posts
    Because then they could hijack the session with another username and if it assumes they are authenticated it will allow them to spoof as someone else. Having the md5 password and the username in the session means they need both to be correct to impersonate another user and the chances of that are a lot slimmer

  8. #8
    Commander Keen
    Join Date
    Nov 2003
    Location
    217.27.240.214
    Posts
    624
    Thanks
    0
    Thanked
    0 times in 0 posts
    oh.. o.k. I see. I just usually timestamp it, and add a random peice of rubbish to it as well.

    Speculation is always what are the benefits of a quick md5 of the md5 + a bit of guff ? Could take the spoofers lifetime ++ just to post in a forum

    I was thinking his password was stored to do something nuts like "login fresh" on every page. I have just never considered passing the password about.

    Anyway Kezzer.. want some more help or are things flying today ?

  9. #9
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    Hehe, well like i said, i'll be using a switch to change the content of the page. If i put session_start(); at the top of the includes obviously i get a parse error as you have to put session_start(); before anything. If i put it at the top of the main page (not an include) then will it start the session when you change the content of the main page as opposed to completely changing pages?

  10. #10
    HEXUS.net Webmaster
    Join Date
    Jul 2003
    Location
    UK
    Posts
    3,108
    Thanks
    1
    Thanked
    0 times in 0 posts
    session_start() has no effect on content, it merely tells PHP to find a session for the user or create one if it doesn't already exist.

  11. #11
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    Well what i mean is that if i put session_start() at the top of the page it's only going to exist on one page being admin.php. All the other pages will be viewed by using the switch (simply including content into the relevant area)

  12. #12
    HEXUS.net Webmaster
    Join Date
    Jul 2003
    Location
    UK
    Posts
    3,108
    Thanks
    1
    Thanked
    0 times in 0 posts
    If you think you can build an entire site based on one page and some includes then yes. I wouldn't recommend that as an approach but it's your design

  13. #13
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    Surely there's a way around that?

  14. #14
    HEXUS.net Webmaster
    Join Date
    Jul 2003
    Location
    UK
    Posts
    3,108
    Thanks
    1
    Thanked
    0 times in 0 posts
    Around what ?

  15. #15
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    Having the session_start() occur on every page you visit using a switch.

  16. #16
    daft ideas inc. scottyman's Avatar
    Join Date
    Jul 2003
    Location
    Charming and Exotic Bracknell
    Posts
    1,576
    Thanks
    2
    Thanked
    3 times in 3 posts
    if using sessions - then calling session start is essential -
    it helps for validation, and eliminates the need for a switch statement.
    i.e.
    PHP Code:
    <?php
            
    /*
            * edit groups
            */

            
    session_start();
            require_once 
    'DB.php';
            require_once 
    '../config.inc' ;
            require_once (
    INCLUDES_DIR 'template.inc');
            require_once (
    INCLUDES_DIR 'functions.inc');
            require_once (
    INCLUDES_DIR 'csv.inc');
            
    $smarty = new PasTVTemplate();
            
    $smarty->showHeader('Group Edit');
            if(
    $_SESSION['isAdmin'] == 1) {
            
    $connect DB::connect($db);
            if(
    DB::isError($connect))
                    die(
    $connect->getMessage());
            if(!empty(
    $_POST['group_name']))       {
    ...
    which simply starts the session if not already started - isAdmin is set if and only if the user is an admin (when user information is pulled from db after successful login)
    and if $_POST is set, then the group name is added to the database if it doesn't already exist.
    login.php looks like this (realised I've just left out a rather large chunk of "stuff")
    PHP Code:
    <?php
          
    /**
           * Login.php
           */
           
    session_start();
           require_once 
    "DB.php";
           require_once 
    "../config.inc" ;
           require_once (
    INCLUDES_DIR "template.inc");
           require_once (
    INCLUDES_DIR 'functions.inc');
           
    $connect DB::connect($db);
           if(
    DB::isError($connect))
            die(
    $connect->getMessage());
           
    //add error handling code.
           
    $smarty = new PasTVTemplate();
           if(empty(
    $_POST)) {
               
    $smarty->showHeader('PasTV :: User Registration');
               
    $smarty->display('login.tpl');
           } else {
               
    $passwd sha1($_POST['password']);
               
    $query "SELECT uid, fname, lname, email, admin
                         FROM users
                         WHERE email = '
    {$_POST['email']}'
                         AND password = '
    {$passwd}'";
               
    $result $connect->query($query);
               if(
    DB::isError($connect))
                    die(
    $result->getMessage());
               if(
    $row $result->fetchRow(DB_FETCHMODE_ASSOC))     {
                
    session_unset();
                
    session_register('uid');
                
    session_register('email');
                
    session_register('uid');
                if(
    $row['admin'] == 1)   {
                    
    session_register('isAdmin');
                    
    $_SESSION['isAdmin'] = $row['admin'];
                }
                
    $_SESSION['username'] = $row['fname'] . " " $row['lname'];
                
    $_SESSION['email'] = $row['email'];
                
    $_SESSION['uid'] = $row['uid'];
                
    loadPage(INDEX_PAGE);
               }
               else {
                  
    $smarty->assign($_POST);
                  
    $smarty->showHeader('PasTV :: User Registration');
                  
    $smarty->display('login.tpl') ;
               }
              }
           
    $smarty->display('footer.tpl');
    ?>

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 4
    Last Post: 25-03-2004, 05:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •