Page 1 of 1

authentication

Posted: Sat Mar 06, 2004 6:07 pm
by kurumi
I have just started studying Php.I have a problem concerning authentication like this!I have two files "login.php ","member.php".In login.php i use the code "header" to redirect the user to "member.php " if he gives the correct password!But the problem is that if the user know that i have two files like this ,he would come directly to "member.php" without complete the procedure in "login.php"!How can i solve this problem?I know i have to put some code in the head of member.php to connect to login.php but I don't know exactly about this!Can you help me?

Posted: Sat Mar 06, 2004 6:21 pm
by 1veedo
First of, this doesn't go in General Discusion. I'd do it in the same file but it looks like your going to to have to sind hiden variables - like in forms. I cant help you past that..

Code: Select all

<form action=".......php" method="post">
<input type="hidden" value="true" name="authentication">....
The probablem [obviously] is that the user has to select go or continue. I'm sure there's a way to foward with javascript and include hiden values.

Posted: Sun Mar 07, 2004 3:49 am
by McGruff
One simple solution for php scripts which you don't want to be directly addressed is to put them in a directory protected with .htaccess:

Order deny,allow
deny from all

Better still, store them outside the web root altogether. Php can include these scripts but you can't point a browser at them.

You must still check user privileges in scripts before granting access to restricted data. For example, sessions are commonly used to store user data set at login. You could add something in member.php to test for that.

Posted: Sun Mar 07, 2004 5:15 am
by sandrol76
Well there's another solution:
In login.php you set a session variable (through $_SESSION, look it up in php reference and look up the function session_start() too) as soon as the member inserts the right username and password, then in member.php at the top of all you check if the session variable is set, if it is not you redirect the user to login.php!
Ciao from Italy!

Posted: Sun Mar 07, 2004 7:41 am
by kurumi
sandrol76 wrote: then in member.php at the top of all you check if the session variable is set..
Thank you very much!but I wonder how can I check the cookies put in session in login.php.Can you tell me more about this!

Posted: Sun Mar 07, 2004 8:39 am
by tim
perhaps something like this would suite ya fancy (using the session, i use cookies):

Code: Select all

<?php
if (isset($_SESSION['user'])) {
// show your page
} else {
//show the login screen
}
?>

Creating a check.php

Posted: Mon Mar 08, 2004 12:18 pm
by cj2000
Hi Kurumi,

I used to have the same problem as you. I am not sure how you code the authentication system but I would assume you have a Login ID, Login Pass and a file that stores these values.

What you can do is:

Step 1: Login.php

Asks user to enter ID and Pass -> authentiate against the values stored in the password file. If values match, start session with 2 session variables (ID & Pass) and forward the user to member.php.

If aunthentication fails, do not start session and return to login.php.

Step 2: check.php

Create a check.php that will check the 2 session variables against the file. If the check fails, forward the user to login.php.

Step 3: Include check.php

use 'include check.php' infront of all the codes of your protected pages. This way, the ID and pass of the user will always be checked whenever he enters a protected page. If the check fails, the user will be forwarded to login.php (nature of check.php) even before the rest of the code of the page is loaded. This will protect the page.

This works because of the nature of session. Session variables will only be destroyed when browser is closed or manual destroyed by the user. So the users are only required to log in once. But the server will always check whenever a protected page is loaded.

Im not sure if this has any other flaws but it has worked for me so far.

Regards