PHP / MySQL Login Problem

[will7]

OK, to cut a long story short. I am trying to make a login system and am having troubles. I can make it so it logs in fine, but, here is the problem:

Say a user logs in and their protected page is called client1.php. Now, when they login to access their page, if they type other secret pages filenames into their browser, they can access them with their login info. So, if client1 accessed his page (client1.php), he could also access client2's page by typing the exact filename lets say client2.php) into the browser. Now, I know there has to be a way of stopping this from happening!

I think it can be done with sessions, but am not sure how. This is the code I have so far:

login.php:

//Connect to database

$dbh=mysql_connect ("BLANK", "BLANK", "BLANK") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("BLANK"); 

session_start();
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users where username='$username' and password='$password'";
$result = mysql_query($query);

if (mysql_num_rows($result) != 1) 
{
	header("Location: notfound.html");
}

else
{
session_start(); 
$_SESSION['auth'] = ("$lastName");
header("Location: $lastName.php"); 
}
?>

And for will.php (with "will" being what is in the "name" field for). Note: This is what I placed at the top of the page before the HTML, there is the HTML code for the page below it.

<?php 
session_start(); 
if ($_SESSION['auth']!='will') 
{ 
    header("Location: notfound.html"); 
} 
?>

So, where have I gone wrong and how do I achieve what I am trying to do. I brought this thread over from WebDesignForums.net:

http://www.webdesignforums.net/showthread.php?p=162336#post162336

So, I dunno if any of the info in that thread helps you. I brought it over to Namepros coz there are a lot more people that come online so a higher chance of quick replies.

Thanks in advance, hope you understand my question.

Will.

 

[adamquaile]

A different approach

Just a couple of things that might help you work out your problem. First of all, at one time, I had a login page with PHP and MySQL, but I went abou the whole thing a diferent way...

I had just one login page, for every user and displayed similar but individual pages for each person. Then on every other page that required a person to be logged in on, I just checked that they were with sessions. I don't know exactly how you're structuring your site, but the general idea was something like this:

I had all the info about each person in a row of a MySQL table, or in some cases, in a file. Every time a person accessed this one page (lets call it login.php) their name and password was checked aginst the table. If these details were correct then a session variable was set, and they were allowed to see their area. Every other page from that point was was only available to that user if they had the session variables set. Any specific data needed was then got at the time it was required.

Hope that helps, but let me know if it doesn't...

 

[will7]

OK. Well, I have my main site, and then a seperate page for each web design client. These are the password protected pages. I have set sessions, but it just checks for the session and if it's on, they seem to be able to access any page.

It used to be that if they typed in the exact filename then they could access it without logging in, but, with the help of sessions I stopped that. But, I can't seem to get this problem I have now sorted out.

Any more help anyone?

 

[gulfinet]

Hi,

This is a common problem and you're right, sessions are the way to go...

The procedure is:

1. User logs in (login.php)
2. create PHP session for user with his ip, expiring in say 20 mins
3. every page the users then visits must check that he has access to it first before displaying itself.

That's the theory, now the practical:

login.php:

<?php 
$username = $_POST['username']; 
$password = $_POST['password']; 

if (verify_user(username, $password)) { // checks user/pass from mysql
  $url = lookup_client_page($username); // returns client1.php, client2.php,..
  session_start(); 
  session_register("username"); 
  session_register("isloggedin"); 
  $_SESSION['username'] = $username; 
  $_SESSION['isloggedin'] = "true"; 
  header("Location: $url"); 
} else {
  // we couldn't find user/pass combo... Show error msg..
  echo '<h3>Invalid user/pass</h3>';
}
?>

Show login form at the bottom of login.php:

<form action="login.php" method="post"> 
Username: <input type="text" name="username" /><br /> 
Password: <input type="password" name="password" /><br /> 
<input type="submit" value=" Login " /> 
</form>

Then for each client page at the top:

client.php

<?php 
session_start(); 
if ( $_SESSION['username'] == "" || $_SESSION['isloggedin'] != "true" ) 
{ 
  header('login.php');
  exit();
} 

// display client page 
echo 'Welcome Client <strong>' . $_SESSION['username'] . '</strong>...'; 

// ..etc ... rest of client content
?>

Lastly the logout page:

logout.php

<?php 
session_start(); 
session_unset(); 
session_destroy(); 

echo '<meta http-equiv="refresh" content="5; URL=login.php" />'; 
echo 'Bye... You have successfully logged out!<br />'; 
?>

That's about it...

Let us know how you get along...

Cheers...

 

[will7]

Nice one! Thank you so much gulfinet. You don't know how long I have been trying to get that sorted!

Two more questions:

1) When you go to www.rednerve.com and you see the login bit? Well, how can I make it so that when a client logs in, instead of displaying that, it says "You are logged in as $username. Click here to go to your page. (And it shows a logout link too)". But it only shows it if the client is logged in and it needs to display on all the pages of the site.

2) How would I go about encrypting the important data (namely passwords) on the site?

Thanks again for the help and I hope you can do the same with these final problems.

 

[adam_uk]

you should really remove your username and password for your database from your code example (top post) and change them asap!!

 

[will7]

Whoops! Always forget about that. Changed.

Now, anyone have any help on my other problems?

 

[will7]

Could anyone check the thread link I posted earlier (to WDF) and check out the updates to this saga and see if they can help me? I changed the code to MD5 protect it and now it doesn't work

EDIT: Here is the link and the code I am using.

http://www.webdesignforums.net/showthread.php?p=162404#post162404

login.php:

<?php 
//Connect to database 
$dbh=mysql_connect ("*****", "*****", "****") or die (mysql_error()); 
mysql_select_db ("******"); 

$username = $_POST['username']; 
$password = $_POST['password']; 

//simple encryption added as an example (The passwords stored in the users table must be encrypted the same way) 
$query = "SELECT lastName FROM users where username='$username' and password='".md5($password)."'"; 
$result = mysql_query($query); 

if (mysql_num_rows($result) < 1)
{
header ("Location: notfound.html");
}

else 
{ 
	 $row = mysql_fetch_array($result); 
   $lastName = $row[0]; 
 
    session_start(); 
         
    if($lastName == "Narburgh") 
    { 
        $_SESSION['auth'] = md5($lastName."admin"); 
        header("Location: Narburgh.php"); 						 
    } 										
    else 
    { 
		    $_SESSION['lastName'] = $lastName; 
        $_SESSION['auth'] = md5($lastName."project"); 
        header("Location: $lastName.php"); 	
    }
		}
?>

At the top of Client1.php:

<?php 
session_start();
if($_SESSION['auth'] != md5("Client1project") || $_SESSION['auth'] != md5("Narburghadmin")) 
{ 
    header("Location: notfound.html"); 
}
?>

Top of Narburgh.php:

<?
session_start(); 

if($_SESSION['auth'] != md5("Narburghadmin")) 
{ 
    header("Location: notfound.html"); 
}
?>

Top of Testing.php:

<?php 
session_start(); 
if($_SESSION['auth'] != md5("Testingproject") || $_SESSION['auth'] != md5("Narburghadmin")) 
{ 
    header("Location: notfound.html"); 
} 

?>

To see why I changed the code, check the WDF thread. I have MD5ed the passwords etc for security reasons.

So, if anyone has the time or helpful nature to read through the thread, see what's happened and try and help me solve this, I would really, really appreciate it.

 

[will7]

No-one can help? Surely someone on all of Namepros knows what's up? Namepros has never let me down yet!

 

[axilant]

if your trying to get authentication im a master with authentication, i have written around 100 different authentication systems in php alone. Use the contact information in my profile if you would like some help.

 

[will7]

Had some other PHP gods over at a different forum help me out. Sorted now!