7 Replies - 1158 Views - Last Post: 27 May 2008 - 06:42 AM Rate Topic: -----

#1 morcomm  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 75
  • Joined: 28-March 08

User Authentication

Post icon  Posted 26 May 2008 - 01:06 AM

Hi,

I used this tutorial to create a login page http://www.13dots.co...showtopic=16156, but have a few questions.
When I navigate to a page in the folder that is not the login page, I still can view it. I don't want this, but would prefer the page to re-direct me to the login page if I have not yet entered my details.
I think that I might be going wrong with this bit of code from the tutorial:
<?php
include("config.php");
$cookuser = $_COOKIE["cookuser"];
$cookpass = $_COOKIE["cookpass"];
$adminpass = md5($adminpass);
if($cookuser && $cookpass) {
	if(($cookuser == $adminuser) && ($cookpass == $adminpass)){
	echo("You have succesfully logged in! Please feel free to browse this secure admin page! To loggout go to <a href=logout.php>logout.php</a>");
	//Any protected stuff you want goes in here!
	}
	else{
	echo($incorrect_error_message);
	}
}
else{
echo($not_logged_in_message_error_message);
}
?> 


It is more than likely the place that says //Any protected stuff you want goes in here! that I am not understanding.

If anyone thinks this is not a good script to use and that there could be a better one, please let me know. I need to password protect a backend to a news system.

Is This A Good Question/Topic? 0
  • +

Replies To: User Authentication

#2 joeyadms  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 41
  • View blog
  • Posts: 178
  • Joined: 04-May 08

Re: User Authentication

Posted 26 May 2008 - 02:12 AM

Well, assuming config.php sets $adminuser and $adminpass , it seems like there is a flaw in authentication. $adminpass should already be md5, so you should change
$adminpass = md5($adminpass);
-to-
$cookpass = md5($cookpass);



I did not look at the url so I don't know, but thats how it should be.

As far as files in other folders, well, I'll give you my overlook of this auth.

You shouldn't be storing usernames/passwords in cookies, it's insecure. Instead use sessions.
// config.php
$adminuser = "joey";
$adminpass = "asdjahdoasoid"; // MD5 of password

// Login.php
$username = $_POST['username'];
$password = md5($_POST['password']);
if($username && $password){
  if($username = $adminuser && $password = $adminpass){
	 $_SESSION['authed'] = 1;
   } else {
	// show error message
}
//Show login form



Then on other pages include this at the top of your secured pages.
isset($_SESSION['authed']) ? null:header("Location: login.php");



For protecting directories though, you might want to look into .htacces at server level, that would be abetter solution.
Was This Post Helpful? 0
  • +
  • -

#3 morcomm  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 75
  • Joined: 28-March 08

Re: User Authentication

Posted 26 May 2008 - 02:31 AM

OK, I am now confused. What is md5? and how do I get a "MD5 of password"
Was This Post Helpful? 0
  • +
  • -

#4 joeyadms  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 41
  • View blog
  • Posts: 178
  • Joined: 04-May 08

Re: User Authentication

Posted 26 May 2008 - 03:13 AM

MD5 is message digest, it is a type of hashing ( a little insecure though), Used to keep passwords from being read in plaintext.

Say an attacker can read your config file, if your password was in plain-text he would have it, if it were hashed , he would have to try to crack it first.

to get an md5 of the password, just in php do this
<?php
echo md5('password you want to use');
?>


Was This Post Helpful? 0
  • +
  • -

#5 JBrace1990  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 110
  • View blog
  • Posts: 760
  • Joined: 09-March 08

Re: User Authentication

Posted 26 May 2008 - 09:37 AM

he's using cookies.... >.>

if(isset($_COOKIE['logged_in'])){
//show the page
}else{
header("Location: login.php");
}


you would need to setup a cookie named "logged_in" for the above to work...
Was This Post Helpful? 0
  • +
  • -

#6 akozlik  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 90
  • View blog
  • Posts: 797
  • Joined: 25-February 08

Re: User Authentication

Posted 26 May 2008 - 03:49 PM

View PostJBrace1990, on 26 May, 2008 - 09:37 AM, said:

he's using cookies.... >.>

if(isset($_COOKIE['logged_in'])){
//show the page
}else{
header("Location: login.php");
}


you would need to setup a cookie named "logged_in" for the above to work...



Hey I wrote a couple of tutorials on DIC that you might want to check out. They may help you. They are in the PHP Tutorials section. You can also reach them from here:

"To Session or To Cookie", That is the Question"
"Basic Login Script with PHP"

Those might help you get on your way. I'm also going to be writing one about hashing techniques soon, so look for that in the future.
Was This Post Helpful? 0
  • +
  • -

#7 morcomm  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 75
  • Joined: 28-March 08

Re: User Authentication

Posted 26 May 2008 - 11:04 PM

Thanks guys for your help. I am developing the webpage on a dedicated testing server that I have in the office and I spoke to my hosting company about what to do about protecting certain folders. They said all I have to do is tell them which folders I will need protected when I replicate the site to the live server, and they will set the htaccess for me.
I will look at the tutorials and have bookmarked this page because I would like to do this for a low-budget project that I will be working on in the near future.
Was This Post Helpful? 0
  • +
  • -

#8 joeyadms  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 41
  • View blog
  • Posts: 178
  • Joined: 04-May 08

Re: User Authentication

Posted 27 May 2008 - 06:42 AM

Thats good, just remember, you want security at the lowest level.

Say you only want you to be able to edit files, and noone should view them from the internet (like config files), you should keep these behind the wall (outside of your web root).

Or if you want to password protect a file/files, or a directory/directories, then apache's htaccess will be best bet, there is no beating that.

But if you want a hierarchy of control, like based on roles that each user has, and different parts of a site he/she can access then using a application level authentication (php) would be your best bet.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1