Page 1 of 2
Log In Page
Posted: Wed Aug 09, 2006 5:03 am
by richo
What methods would I use for a simple log-in page.
- i don't need database action for multiple users, just one username and password.
- i understnad i may need to use a simple if statement for username/ password but is there any extra things i need for security?
- would I use session cookie or something to stop people from bypassing the login page?
Any help much appreciated.
Richo
Posted: Wed Aug 09, 2006 10:04 am
by Luke
couldn't you use HTTP authentication or do you actually need to create the interface?
Posted: Wed Aug 09, 2006 11:04 am
by richo
I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.
I just don't the techniques involved with the security and the session action to stop people bypassing the login page.
Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.
Posted: Wed Aug 09, 2006 1:28 pm
by Christopher
Do you understand how HTML forms work and how a PHP Form Controller works?
Posted: Thu Aug 10, 2006 3:08 am
by richo
Yes, i've done posts before and using the posted variable, also detecting if the form has been submitted.
Posted: Thu Aug 10, 2006 11:02 am
by Christopher
Do you want to do it OOP or procedural?
Posted: Thu Aug 10, 2006 6:35 pm
by wei
If you using apache as web server, a .htaccess file will be very suitable in this case.
Posted: Thu Aug 10, 2006 6:39 pm
by Luke
wei wrote:If you using apache as web server, a .htaccess file will be very suitable in this case.
We've already gone over that...
The Ninja Space Goat wrote:couldn't you use HTTP authentication or do you actually need to create the interface?
richo wrote:I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.
I just don't the techniques involved with the security and the session action to stop people bypassing the login page.
Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.
Posted: Thu Aug 10, 2006 8:31 pm
by d3ad1ysp0rk
The Ninja Space Goat wrote:wei wrote:If you using apache as web server, a .htaccess file will be very suitable in this case.
We've already gone over that...
The Ninja Space Goat wrote:couldn't you use HTTP authentication or do you actually need to create the interface?
richo wrote:I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.
I just don't the techniques involved with the security and the session action to stop people bypassing the login page.
Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.
Technically, you can use HTTP Authentication WITH an html form..
Posted: Thu Aug 10, 2006 9:08 pm
by Christopher
I posted the basics for a form controller
here. We could expand that to do a login pretty easily with a few classes. If you see it step by step it will make sense.
Posted: Thu Aug 10, 2006 9:10 pm
by Weirdan
We could expand that to do a login pretty easily with a few classes
Or with no classes at all...

Posted: Thu Aug 10, 2006 9:17 pm
by Christopher
Weirdan wrote:Or with no classes at all...

Well at least some functions

otherwise you will end up with
this which is fine for one form, but provides zero code reuse -- so you end up hand coding if statements for every form. I guess if you like that kind of thing...
Posted: Fri Aug 11, 2006 5:51 am
by richo
I can't use OOP if that involves PHP 5 as my server is only compatible with 4.3 or something similar.
I just need a simple login/ session methodology, i'm also interested in best practise security issues.
Posted: Fri Aug 11, 2006 2:20 pm
by Christopher
richo wrote:I can't use OOP if that involves PHP 5 as my server is only compatible with 4.3 or something similar.
I just need a simple login/ session methodology, i'm also interested in best practise security issues.
You can use OOP fine in PHP4. Here is the code from a previous post modified slightly for login:
logintemplate.php
Code: Select all
<h1>Log-in</h1>
<p>Please enter your username and password and click Login.</p>
<span style="color:red"><?php echo implode('', $errors); ?></span>
<form action="myformpage.php" method="post">
<input type="hidden" name="submit" value="yes"/> <!-- use hidden so Enter works in IE -->
<input type="text" name="username" value=""/>
<br/>
<input type="text" name="password" value=""/>
<br/>
<input type="submit" name="login" value="Login"/>
<br/>
</form>
So the PHP code would looks something like this:
login.phpCode: Select all
$errors = array();
// only do login check if form has been submitted
if (isset($_POST['submit'])) {
// filter the value from the form to only all letters and numbers (add any other characters you want to allow)
$username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
$password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password']);
// check the name based on some rules and set errors if there are problems
if ($username == '') {
$errors[] = 'Please enter a username. ';
}
if ($password == '') {
$errors[] = 'Please enter a password. ';
}
if (! $errors) {
// check if username/password are valid here
// this could also easily be a database lookup
if ($username == 'abcdefg') && ($password == '1234567') {
session_start();
$_SESSION['User']['isvalid'] = 1;
$_SESSION['User']['username'] = $username;
// write and close the session before redirect
session_write_close();
// redirect to another page if all required fields are acceptable
header('Location: http://www.mysite.com/mynextpage.php');
exit(); // no more output
} else {
$errors[] = 'Invalid username and password. ';
}
}
}
// show the form if there are errors
include 'logintemplate.php';
I have not run this code so it probably has errors. See if you can get it to work. We still need to add Log-out functionality and the Access Control code that you would include in protected pages.
Posted: Fri Aug 11, 2006 2:42 pm
by richo
That looks fantastic arborint, many thanks. I guess i need to look up OOP, i didn't realise that kind of stuff was.
All the code makes sense to me other than the:
Code: Select all
preg_replace('/[^a-zA-Z0-9]/', '',
I can see what it's doing ,just don't really understand what's going in the syntax.
I'll try the page out and let you know if it works.
thanks.