authentication

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
kurumi
Forum Newbie
Posts: 2
Joined: Sat Mar 06, 2004 6:07 pm

authentication

Post by kurumi »

I have just started studying Php.I have a problem concerning authentication like this!I have two files "login.php ","member.php".In login.php i use the code "header" to redirect the user to "member.php " if he gives the correct password!But the problem is that if the user know that i have two files like this ,he would come directly to "member.php" without complete the procedure in "login.php"!How can i solve this problem?I know i have to put some code in the head of member.php to connect to login.php but I don't know exactly about this!Can you help me?
1veedo
Forum Commoner
Posts: 31
Joined: Thu Feb 19, 2004 3:59 pm
Location: With my computer wherever that may be.
Contact:

Post by 1veedo »

First of, this doesn't go in General Discusion. I'd do it in the same file but it looks like your going to to have to sind hiden variables - like in forms. I cant help you past that..

Code: Select all

<form action=".......php" method="post">
<input type="hidden" value="true" name="authentication">....
The probablem [obviously] is that the user has to select go or continue. I'm sure there's a way to foward with javascript and include hiden values.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

One simple solution for php scripts which you don't want to be directly addressed is to put them in a directory protected with .htaccess:

Order deny,allow
deny from all

Better still, store them outside the web root altogether. Php can include these scripts but you can't point a browser at them.

You must still check user privileges in scripts before granting access to restricted data. For example, sessions are commonly used to store user data set at login. You could add something in member.php to test for that.
sandrol76
Forum Newbie
Posts: 8
Joined: Mon Mar 01, 2004 3:25 am

Post by sandrol76 »

Well there's another solution:
In login.php you set a session variable (through $_SESSION, look it up in php reference and look up the function session_start() too) as soon as the member inserts the right username and password, then in member.php at the top of all you check if the session variable is set, if it is not you redirect the user to login.php!
Ciao from Italy!
kurumi
Forum Newbie
Posts: 2
Joined: Sat Mar 06, 2004 6:07 pm

Post by kurumi »

sandrol76 wrote: then in member.php at the top of all you check if the session variable is set..
Thank you very much!but I wonder how can I check the cookies put in session in login.php.Can you tell me more about this!
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

perhaps something like this would suite ya fancy (using the session, i use cookies):

Code: Select all

<?php
if (isset($_SESSION['user'])) {
// show your page
} else {
//show the login screen
}
?>
cj2000
Forum Newbie
Posts: 7
Joined: Wed Jul 23, 2003 8:01 am

Creating a check.php

Post by cj2000 »

Hi Kurumi,

I used to have the same problem as you. I am not sure how you code the authentication system but I would assume you have a Login ID, Login Pass and a file that stores these values.

What you can do is:

Step 1: Login.php

Asks user to enter ID and Pass -> authentiate against the values stored in the password file. If values match, start session with 2 session variables (ID & Pass) and forward the user to member.php.

If aunthentication fails, do not start session and return to login.php.

Step 2: check.php

Create a check.php that will check the 2 session variables against the file. If the check fails, forward the user to login.php.

Step 3: Include check.php

use 'include check.php' infront of all the codes of your protected pages. This way, the ID and pass of the user will always be checked whenever he enters a protected page. If the check fails, the user will be forwarded to login.php (nature of check.php) even before the rest of the code of the page is loaded. This will protect the page.

This works because of the nature of session. Session variables will only be destroyed when browser is closed or manual destroyed by the user. So the users are only required to log in once. But the server will always check whenever a protected page is loaded.

Im not sure if this has any other flaws but it has worked for me so far.

Regards
Post Reply