Page 1 of 2

Log In Page

Posted: Wed Aug 09, 2006 5:03 am
by richo
What methods would I use for a simple log-in page.

- i don't need database action for multiple users, just one username and password.
- i understnad i may need to use a simple if statement for username/ password but is there any extra things i need for security?
- would I use session cookie or something to stop people from bypassing the login page?

Any help much appreciated.

Richo

Posted: Wed Aug 09, 2006 10:04 am
by Luke
couldn't you use HTTP authentication or do you actually need to create the interface?

Posted: Wed Aug 09, 2006 11:04 am
by richo
I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.

I just don't the techniques involved with the security and the session action to stop people bypassing the login page.

Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.

Posted: Wed Aug 09, 2006 1:28 pm
by Christopher
Do you understand how HTML forms work and how a PHP Form Controller works?

Posted: Thu Aug 10, 2006 3:08 am
by richo
Yes, i've done posts before and using the posted variable, also detecting if the form has been submitted.

Posted: Thu Aug 10, 2006 11:02 am
by Christopher
Do you want to do it OOP or procedural?

Posted: Thu Aug 10, 2006 6:35 pm
by wei
If you using apache as web server, a .htaccess file will be very suitable in this case.

Posted: Thu Aug 10, 2006 6:39 pm
by Luke
wei wrote:If you using apache as web server, a .htaccess file will be very suitable in this case.
We've already gone over that...
The Ninja Space Goat wrote:couldn't you use HTTP authentication or do you actually need to create the interface?
richo wrote:I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.

I just don't the techniques involved with the security and the session action to stop people bypassing the login page.

Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.

Posted: Thu Aug 10, 2006 8:31 pm
by d3ad1ysp0rk
The Ninja Space Goat wrote:
wei wrote:If you using apache as web server, a .htaccess file will be very suitable in this case.
We've already gone over that...
The Ninja Space Goat wrote:couldn't you use HTTP authentication or do you actually need to create the interface?
richo wrote:I need to create the interface. I know the HTML for the form that's no problem, just a username and password text inputs.

I just don't the techniques involved with the security and the session action to stop people bypassing the login page.

Links to any useful tutorials would also be helpful. When i search i seem to always find ones that are based on databases which I don't need.
Technically, you can use HTTP Authentication WITH an html form..

Posted: Thu Aug 10, 2006 9:08 pm
by Christopher
I posted the basics for a form controller here. We could expand that to do a login pretty easily with a few classes. If you see it step by step it will make sense.

Posted: Thu Aug 10, 2006 9:10 pm
by Weirdan
We could expand that to do a login pretty easily with a few classes
Or with no classes at all...Image

Posted: Thu Aug 10, 2006 9:17 pm
by Christopher
Weirdan wrote:Or with no classes at all...Image
Well at least some functions ;) otherwise you will end up with this which is fine for one form, but provides zero code reuse -- so you end up hand coding if statements for every form. I guess if you like that kind of thing...

Posted: Fri Aug 11, 2006 5:51 am
by richo
I can't use OOP if that involves PHP 5 as my server is only compatible with 4.3 or something similar.

I just need a simple login/ session methodology, i'm also interested in best practise security issues.

Posted: Fri Aug 11, 2006 2:20 pm
by Christopher
richo wrote:I can't use OOP if that involves PHP 5 as my server is only compatible with 4.3 or something similar.

I just need a simple login/ session methodology, i'm also interested in best practise security issues.
You can use OOP fine in PHP4. Here is the code from a previous post modified slightly for login:

logintemplate.php

Code: Select all

<h1>Log-in</h1>
<p>Please enter your username and password and click Login.</p>
<span style="color:red"><?php echo implode('', $errors); ?></span>
<form action="myformpage.php" method="post">
<input type="hidden" name="submit" value="yes"/>     <!-- use hidden so Enter works in IE -->
<input type="text" name="username" value=""/>
<br/>
<input type="text" name="password" value=""/>
<br/>
<input type="submit" name="login" value="Login"/>
<br/>
</form>
So the PHP code would looks something like this:

login.php

Code: Select all

$errors = array();

// only do login check if form has been submitted
if (isset($_POST['submit'])) {

    // filter the value from the form to only all letters and numbers (add any other characters you want to allow)
    $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
    $password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password']);

    // check the name based on some rules and set errors if there are problems
    if ($username == '') {
        $errors[] = 'Please enter a username. ';
    }
    if ($password == '') {
        $errors[] = 'Please enter a password. ';
    }

    if (! $errors) {
    // check if username/password are valid here
    // this could also easily be a database lookup
        if ($username == 'abcdefg') && ($password == '1234567') {
            session_start();

            $_SESSION['User']['isvalid'] = 1;
            $_SESSION['User']['username'] = $username;

            // write and close the session before redirect
            session_write_close();

            // redirect to another page if all required fields are acceptable
            header('Location: http://www.mysite.com/mynextpage.php');

            exit();    // no more output

        } else {
            $errors[] = 'Invalid username and password. ';
        }
    }

}
// show the form if there are errors
include 'logintemplate.php';
I have not run this code so it probably has errors. See if you can get it to work. We still need to add Log-out functionality and the Access Control code that you would include in protected pages.

Posted: Fri Aug 11, 2006 2:42 pm
by richo
That looks fantastic arborint, many thanks. I guess i need to look up OOP, i didn't realise that kind of stuff was.

All the code makes sense to me other than the:


Code: Select all

preg_replace('/[^a-zA-Z0-9]/', '',
I can see what it's doing ,just don't really understand what's going in the syntax.


I'll try the page out and let you know if it works.

thanks.