Simple Authentication Systems

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
anotherphpnewb
Forum Newbie
Posts: 4
Joined: Mon Oct 18, 2004 9:08 pm

Simple Authentication Systems

Post by anotherphpnewb »

Hi all,

I just put up Apache, MySQL and PHP on my home server. The server is for my friends, family and I only. I don't want people from the net snooping around etcetera on my server. Below I've listed what I'm trying to do, any help would be greatly appreciated.

*/ A little more info first */
I currently have the website developed, and phpBB installed and running perfectly. At the moment the site is simply .html files with the exception to the forum.

I would like to create a login page that will keep the Internet out but allow my friends and family in. The login page should consist of a user/pass text input boxes and a submit button. I only need 1 set of credentials, I will give the credentials to all my friends etcetera. So long as the credentials submited are the right ones they get access to the site.

If someone comes to the site and tries to put in a valid url on the server without logging in they get shot back to the login page.

If they do login successfully they get access to the entire site.

I have tried using numerous examples I've found on the net but because I'm new to Apache/MySQL/PHP and all I haven't had any luck except with the code I'll post in a second.

The simple login I did get working could possibly do the trick if.....

When they successfully login a variable is set saying so and every page on the site checks the value of the variable, if it's set to true they page is loaded else they get shot to the login page.

Thanks
anotherphpnewb
Forum Newbie
Posts: 4
Joined: Mon Oct 18, 2004 9:08 pm

Post by anotherphpnewb »

Here is the original scripts I found. If I named these scripts login.php and added some code to declare a variable to true when login is successful couldn't I add some code to the rest of my sites pages that would check the value of that variable? If the variable is false go to login.php else load page?

Thank you

Code: Select all

<?php
// This starts the session
// After you are logged in, you can stay logged in by navigating to
// other pages on the same server with this at the top of the php page.
session_start();

// This is the username and password you login with, you can also use
// a database to get the username and match it up (later tutorial).
$_Username = "admin";
$_Password = "nimda";

// If the form was submitted
if ($_POST['Submitted'] == "True") {

    // If the username and password match up, then continue...
    if ($_POST['Username'] == $_Username && $_POST['Password'] == $_Password) {

        // Username and password matched, set them as logged in and set the
        // Username to a session variable.
        $_SESSION['Logged_In'] = "True";
        $_SESSION['Username'] = $_Username;
    }
}

// If they are NOT logged in then show the form to login...
if ($_SESSION['Logged_In'] != "True") {

    echo "<form method="post" action="" . $_SERVER['PHP_SELF'] . "">
        Username: <input type="textbox" name="Username"><br />
        Password: <input type="textbox" name="Password"><br />
        <input type="hidden" name="Submitted" value="True">
        <input type="Submit" name="Submit">
    </form>";
}
else
{
    echo "You are logged in as: <b>" . $_SESSION['Username'] . "</b>
    <br /><a href="" . $_SERVER['PHP_SELF'] . "?mode=logout">Logout</a>";
}

// If they want to logout then
if ($_GET['mode'] == "logout") {
    // Start the session
    session_start();

    // Put all the session variables into an array
    $_SESSION = array();

    // and finally remove all the session variables
    session_destroy();

    // Redirect to show results..
    echo "<META HTTP-EQUIV="refresh" content="1; URL=" . $_SERVER['PHP_SELF'] . "">";
}
?> 

?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I usually do all this through htaccess:

Apache 1.3: http://httpd.apache.org/docs/howto/auth.html
Apache 2.0: http://httpd.apache.org/docs-2.0/howto/auth.html


FYI: you can edit your posts.
anotherphpnewb
Forum Newbie
Posts: 4
Joined: Mon Oct 18, 2004 9:08 pm

Post by anotherphpnewb »

I made a simple login work on my site. When a user logs in it displays "You have logged in as: <username>". What I am trying to do now is have it also list all the users currently logged in. Something like "Other users currently logged in (if any) <username1>, <username2> etc... But I can't get it to work.

When a user enters correct login credentials the following happens -
$_SESSION['Logged_In'] = "True";
$_SESSION['Username'] = $_UsernameA; (Or $_UsernameB, which ever user it was that logged in).

How can I create a string variable that will add $_Username to it as users log in?

Like $_CurrentlyLoggedIn = $_CurrentlyLoggedIn + $_Username
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Easier Said then done

Post by neophyte »

In order to that you need build a database table that stores information when people log in or you need write the information to a text file.
anotherphpnewb
Forum Newbie
Posts: 4
Joined: Mon Oct 18, 2004 9:08 pm

Post by anotherphpnewb »

Thank you.

How could I write to a text file?

Also, is what I'm doing at all secure?

When a connection is made to web site they get login.php, if they try to skip to another page on the site or a directory without logging in they get sent back to login.php. If they did login though a couple .inc files are loaded from outside the web root.

Is this a dumb method or is it okay?
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

anotherphpnewb wrote: How could I write to a text file?
Well you can start by looking here:
http://us2.php.net/manual/en/function.fwrite.php
Also, is what I'm doing at all secure?
Cookie/Sessions are a standard way of protecting directories. There are always more secure ways of doing it. But it's probably one of the most used. phpBB uses cookies and a database table to track who is logged in and who is not.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

[php_man]fopen()[/php_man] is the general way to open and become able to write to a file. Although I'd use the database route, personally.

As for your logic, it sounds good.
Post Reply