Page 1 of 1

creating a login: problems

Posted: Thu May 24, 2007 7:44 am
by m2babaey
Hi
I read a tutorial and got if i want the article form available only to members, I should set the form page like this:
( also I have created the user table in "articles" database and register as "promo"(username) and mypass (pass)
here is the code:

Code: Select all

<?
session_start(); // start session.
?>
<!-- header tags, edit to match your own, or include template header file. -->
<html>
<head>
<title>Login</title>
<head>
<body>
<?
if(!isset($username) | !isset($password)) {
// escape from php mode.
?>
<form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>" method="POST">
<p align="center">Members only. Please login to access this document.</p>
<table align="center" border="0">
 <tr>
  <th>
Username:
  </th>
  <th>
<input type="text" name="username">
  </th>
 </tr>
 <tr>
  <th>
Password:
  </th>
  <th>
<input type="password" name="password">
  </th>
 </tr>
 <tr>
  <th colspan="2" align="right">
<input type="submit" value="Login">
</form>
  </th>
 </tr>
</table>
</body>
</html>
<?
exit();
}

// If all is well so far.

session_register("username");
session_register("password"); // register username and password as session variables.

// Here you would check the supplied username and password against your database to see if they exist.
// For example, a MySQL Query, your method may differ.

$sql = mysql_query("SELECT password FROM user_table WHERE username = '$username'");
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);

if($numrows != "0" & $password == $fetch_em["password"]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}

// If the username exists and pass is correct, don't pop up the login code again.
// If info can't be found or verified....

if (!($valid_user))
{
session_unset();   // Unset session variables.
session_destroy(); // End Session we created earlier.
// escape from php mode.
?>
<form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>" method="POST">
<p align="center">Incorrect login information, please try again. You must login to access this document.</p>
<table align="center" border="0">
 <tr>
  <th>
Username:
  </th>
  <th>
<input type="text" name="username">
  </th>
 </tr>
 <tr>
  <th>
Password:
  </th>
  <th>
<input type="password" name="password">
  </th>
 </tr>
 <tr>
  <th colspan="2" align="right">
<input type="submit" value="Login">
</form>
  </th>
 </tr>
</table>
</body>
</html>
<?
exit();
}
else if ($valid_user){
?>


<br>
<FORM action="sendarticle.php" method="post">

<p align=right>


   <br> <input type="text"  SIZE="35" MAXLENGTH="100" dir=rtl name="title">
<br><br>

<br><br> article:<br>
<textarea name="article" dir=rtl width=1000 height=2000 rows="15" cols="85">

</textarea>

<br><br>
<p align=center>
<input type="Submit" value="post article">

</form>
<?
}
?>
But! when I want to load the form it says:
Warning: session_start(): Cannot send session cookie - headers already sent by (output started at g:\programs(2)\easyphp1-8\www\ha\postarticle.php:4) in g:\programs(2)\easyphp1-8\www\ha\postarticle.php on line 5

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at g:\programs(2)\easyphp1-8\www\ha\postarticle.php:4) in g:\programs(2)\easyphp1-8\www\ha\postarticle.php on line 5
( line 5 is session_start(); // start session.)
then brings the login form.

after I enter my user and pass, it says:
Forbidden
You don't have permission to access /ha/<br /><b>Notice</b>: Undefined variable: PHP_SELF in <b>g:\programs(2)\easyphp1-8\www\ha\postarticle.php</b> on line <b>17</b><br /><br /><b>Notice</b>: Undefined variable: QUERY_STRING in <b>g:\programs(2)\easyphp1-8\www\ha\postarticle.php</b> on line <b>17</b><br /> on this server.

Apache/1.3.33 Server at 127.0.0.1 Port 80

Why this happens and how do i fix it? thanks
(by the way, the tutorial was: http://www.evolt.org/article/comment/17 ... index.html

Posted: Thu May 24, 2007 7:47 am
by feyd
"headers already sent" is the thing to search for. It's been talked about enough that you should have found the answer without needing to post. ;)

Posted: Thu May 24, 2007 8:32 am
by bdlang
BTW, session_register() is deprecated for the most part. Use the superglobal $_SESSION instead.

Posted: Fri May 25, 2007 12:36 am
by m2babaey
I searched and read the first 11 results. but nothing could help me. maybe you can. thanks :roll:

Posted: Fri May 25, 2007 1:08 am
by bdlang
  • The error message shows the call to session_start() as line #5, although your code shows it as being the first line past the opening tag. If there is anything output, even a blank space, tab, etc above session_start() you'll get the infamous "headers already sent" error. You must have something up above this that's causing it to fail.
  • Your script relies on register_globals, which has been turned off by default (for good reason) for several versions now.
  • Keeping this in mind, you're getting NOTICE error(s) because the variables you're trying to access ($PHP_SELF for one) doesn't exist. You need to use $_SERVER['PHP_SELF']. This is also why your login fails, you need to access the username and password values with $_POST['username'] and $_POST['password'], respectively.
PHP Manual : session_start() | variables | predefined variables

Posted: Sat May 26, 2007 9:50 am
by m2babaey
Hi
Please have a quick look on the below code I got from php.about.com.
what should be in the []s in $username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site']; ?
Also, is there any security hole in it and what are they?
the last, it seems that i don't need to use sessions for my website while i just need members to access to article form and their statistics?right?
thanks

Code: Select all

<?php
// Connects to your Database
mysql_connect("your.hostaddress.com", "username", "password") or die(mysql_error());
mysql_select_db("Database_Name") or die(mysql_error());

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: members.php");

}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}
// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database.
<a href=add.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('Incorrect password, please try again.');
}
else
{

// if login is ok then we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);

//then redirect them to the members area
header("Location: members.php");
}
}
}
else
{

// if they are not logged in
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}

?>
and member.php:

Code: Select all

<?php
// Connects to your Database
mysql_connect("your.hostaddress.com", "username", "password") or die(mysql_error());
mysql_select_db("Database_Name") or die(mysql_error());

//checks cookies to make sure they are logged in
if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

//if the cookie has the wrong password, they are taken to the login page
if ($pass != $info['password'])
{ header("Location: login.php");
}

//otherwise they are shown the admin area
else
{
echo "Admin Area<p>";
echo "Your Content<p>";
echo "<a href=logout.php>Logout</a>";
}
}
}
else

//if the cookie does not exist, they are taken to the login screen
{
header("Location: login.php");
}
?>
:roll:

Posted: Sat May 26, 2007 11:25 am
by bdlang
m2babaey wrote: what should be in the []s in $username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site']; ?
That data is set in the script you've shown, look at the two calls to setcookie() in the first script. It appears to be the username and password used when the user posted the login form.
m2babaey wrote: Also, is there any security hole in it and what are they?
Definitely. Storing a user's password in the cookie, even in a hashed state is a big issue. Pair that with the username as you've done and anyone that has access to that user's cookies (with a malicious XSS script for example) can potentially login as that user. Doing the same in session data is just as vulnerable, anyone that has access to your host can get those values as well. Just don't do it.

My recommendation, set the user's ID value along with a hashed token and maybe a timestamp when they last logged in as session data and optionally cookie data. Don't use the username or password!!

Also, the script is using MD5 to hash the password in the database, use SHA1 or a stronger algorithm to hash the password and store that value. feyd has an excellent SHA256 class on this site. This would also likely require changing the dimension of the table's `password `column, as these other hash methods take up more characters (40 vs 32 for SHA1 -> MD5). I mention this only because MD5 is considered to be so weak I don't use it at all. Your application may not require anything other than MD5, it's just a thought.

m2babaey wrote: the last, it seems that i don't need to use sessions for my website while i just need members to access to article form and their statistics?right?
That's up to your application design. If it were me, I'd rely less on cookies and use session data to store the variables, using cookies if the user chose to do so. Cookies are not really a reliable way to save state across pages, as many users disallow them. Search this forum or Google for 'remember me cookie' (use quotes).