Dream.In.Code > Programming Help > PHP

Welcome to Dream.In.Code
	Getting PHP Help is Easy! Join 132,683 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 1,232 people online right now. Registration is fast and FREE... Join Now! Chat LIVE With a PHP Expert

User Authentication

Reply to this topic

Start new topic

User Authentication

morcomm	26 May, 2008 - 12:06 AM Post #1
New D.I.C Head Joined: 27 Mar, 2008 Posts: 49 My Contributions	Hi, I used this tutorial to create a login page http://www.13dots.com/forum/index.php?showtopic=16156, but have a few questions. When I navigate to a page in the folder that is not the login page, I still can view it. I don't want this, but would prefer the page to re-direct me to the login page if I have not yet entered my details. I think that I might be going wrong with this bit of code from the tutorial: CODE <?php include("config.php"); $cookuser = $_COOKIE["cookuser"]; $cookpass = $_COOKIE["cookpass"]; $adminpass = md5($adminpass); if($cookuser && $cookpass) { if(($cookuser == $adminuser) && ($cookpass == $adminpass)){ echo("You have succesfully logged in! Please feel free to browse this secure admin page! To loggout go to <a href=logout.php>logout.php</a>"); //Any protected stuff you want goes in here! } else{ echo($incorrect_error_message); } } else{ echo($not_logged_in_message_error_message); } ?> It is more than likely the place that says //Any protected stuff you want goes in here! that I am not understanding. If anyone thinks this is not a good script to use and that there could be a better one, please let me know. I need to password protect a backend to a news system.
	This Post Was Helpful! ^New!


Register for Free to Make These Ads Go Away!

joeyadms	26 May, 2008 - 01:12 AM Post #2
D.I.C Head Joined: 4 May, 2008 Posts: 145 Thanked 6 times Dream Kudos: 600 Expert In: PHP, Web Security My Contributions	Well, assuming config.php sets $adminuser and $adminpass , it seems like there is a flaw in authentication. $adminpass should already be md5, so you should change CODE $adminpass = md5($adminpass); -to- $cookpass = md5($cookpass); I did not look at the url so I don't know, but thats how it should be. As far as files in other folders, well, I'll give you my overlook of this auth. You shouldn't be storing usernames/passwords in cookies, it's insecure. Instead use sessions. CODE // config.php $adminuser = "joey"; $adminpass = "asdjahdoasoid"; // MD5 of password // Login.php $username = $_POST['username']; $password = md5($_POST['password']); if($username && $password){ if($username = $adminuser && $password = $adminpass){ $_SESSION['authed'] = 1; } else { // show error message } //Show login form Then on other pages include this at the top of your secured pages. CODE isset($_SESSION['authed']) ? null:header("Location: login.php"); For protecting directories though, you might want to look into .htacces at server level, that would be abetter solution.
	This Post Was Helpful! ^New!

morcomm	26 May, 2008 - 01:31 AM Post #3
New D.I.C Head Joined: 27 Mar, 2008 Posts: 49 My Contributions	OK, I am now confused. What is md5? and how do I get a "MD5 of password"
	This Post Was Helpful! ^New!

joeyadms	26 May, 2008 - 02:13 AM Post #4
D.I.C Head Joined: 4 May, 2008 Posts: 145 Thanked 6 times Dream Kudos: 600 Expert In: PHP, Web Security My Contributions	MD5 is message digest, it is a type of hashing ( a little insecure though), Used to keep passwords from being read in plaintext. Say an attacker can read your config file, if your password was in plain-text he would have it, if it were hashed , he would have to try to crack it first. to get an md5 of the password, just in php do this CODE <?php echo md5('password you want to use'); ?>
	This Post Was Helpful! ^New!

JBrace1990	26 May, 2008 - 08:37 AM Post #5
D.I.C Regular Joined: 9 Mar, 2008 Posts: 474 Thanked 21 times Dream Kudos: 350 My Contributions	he's using cookies.... >.> CODE if(isset($_COOKIE['logged_in'])){ //show the page }else{ header("Location: login.php"); } you would need to setup a cookie named "logged_in" for the above to work...
	This Post Was Helpful! ^New!

akozlik	26 May, 2008 - 02:49 PM Post #6
D.I.C Addict Joined: 25 Feb, 2008 Posts: 596 Thanked 22 times Dream Kudos: 750 My Contributions	QUOTE(JBrace1990 @ 26 May, 2008 - 09:37 AM) he's using cookies.... >.> CODE if(isset($_COOKIE['logged_in'])){ //show the page }else{ header("Location: login.php"); } you would need to setup a cookie named "logged_in" for the above to work... Hey I wrote a couple of tutorials on DIC that you might want to check out. They may help you. They are in the PHP Tutorials section. You can also reach them from here: "To Session or To Cookie", That is the Question" "Basic Login Script with PHP" Those might help you get on your way. I'm also going to be writing one about hashing techniques soon, so look for that in the future.
	This Post Was Helpful! ^New!

morcomm	26 May, 2008 - 10:04 PM Post #7
New D.I.C Head Joined: 27 Mar, 2008 Posts: 49 My Contributions	Thanks guys for your help. I am developing the webpage on a dedicated testing server that I have in the office and I spoke to my hosting company about what to do about protecting certain folders. They said all I have to do is tell them which folders I will need protected when I replicate the site to the live server, and they will set the htaccess for me. I will look at the tutorials and have bookmarked this page because I would like to do this for a low-budget project that I will be working on in the near future.
	This Post Was Helpful! ^New!

joeyadms	27 May, 2008 - 05:42 AM Post #8
D.I.C Head Joined: 4 May, 2008 Posts: 145 Thanked 6 times Dream Kudos: 600 Expert In: PHP, Web Security My Contributions	Thats good, just remember, you want security at the lowest level. Say you only want you to be able to edit files, and noone should view them from the internet (like config files), you should keep these behind the wall (outside of your web root). Or if you want to password protect a file/files, or a directory/directories, then apache's htaccess will be best bet, there is no beating that. But if you want a hierarchy of control, like based on roles that each user has, and different parts of a site he/she can access then using a application level authentication (php) would be your best bet.
	This Post Was Helpful! ^New!

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 11/23/08 06:54AM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live PHP Help!

PHP Tutorials

Reference Sheets

PHP Snippets

Bye Bye Ads

Free DIC T-Shirt

T-Shirt Example

Related Sites

Monthly Drawing

Partners

Top Contributors

Top 10 Kudos This Month