First the login page:
Code: Select all
session_start();
$time = microtime() + (3467851);
$token = md5($time);
session_start("token"); $HTTP_SESSION_VARS["token"]=$token;
$sessionID = session_id();
$expire = time() + (300);
include "../includes/connect.php";
mysql_query("INSERT INTO token (sessID, token, expire) VALUES ('$sessionID', '$token', '$expire')") or die(mysql_error());The rest of the login page is just a normal form but I do have an AJAX validation script that checks that the username and password are alphanumeric. If they are not then the user is notified and they are not allowed to submit.
The checklogin page (with some notes):
Code: Select all
session_start();
include ("../includes/connect.php");
$sessID = session_ID();
$sql1="SELECT * FROM token WHERE sessID='$sessID' and token='$token'";
$result1=mysql_query($sql1);
$current=mysql_num_rows($result1);
$expire = time();
//I delete the tokens to stop multiple submits from someone from having more than one shot at getting in without going to my login screen everytime.
mysql_query("DELETE FROM token WHERE sessID = '$sessID'");
//this is to clean up a token from someone who got to the login screen but closed their browser.
mysql_query("DELETE FROM token WHERE expire < '$expire'");
if($current!=1){session_destroy(); die("<meta http-equiv='REFRESH' content='0;url=login.php'>");}
else{}
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM user WHERE userName='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
$stamp = date("m-d-Y - g:i a");
$row = mysql_fetch_array($result);
$userID = $row['ID'];
$name = $row['fName'];
$admin = $row['admin'];
session_register("userID");
session_register("name");
session_register("admin");
mysql_query("UPDATE user SET lastLogin='$stamp' WHERE ID='$userID'");
echo "<meta http-equiv='REFRESH' content='0;url=../index.php'>";
}
else {
echo "<meta HTTP-EQUIV='REFRESH' content='0; url=login.php?error=1'>";
} Code: Select all
session_start();
if(!session_is_registered(name)){
header("location:http://www.fwbgo.net/smart/login/login.php");
} I am still learning so let me have it!