|
|
Posted by Frits van Leeuwen on 08/15/06 07:52
> > This is the method that I use. It's quite possible that it needs work,
> > so if anyone would like to crituiqe it, I'd be glad to hear it. This
> > is a rudimentary example, but gives you the gist:
> >
> > INDEX.PHP
> > -----
> > <?php
> >
> > session_start();
> >
> > if (!isset($_SESSION['logged']))
> > {
> > $_SESSION['logged'] = false;
> > }
> >
> > if ($_SESSION['logged'])
> > {
> > require 'index.inc';
> > exit;
> > }
> > else
> > {
> > header('Location: login.php?page=index.php');
> > exit;
> > }
> >
> > ?>
> > -----
> >
> > Ok, let me explain, first we start sessions. Then, if there is no
> > session variable 'logged' then we'll create it, and set it to false.
> > In other words, if they haven't tried to log in yet, we're going to
> > specify that they have not logged in. Possibly this is redundant, but
> > I prefer being safe.
> >
> > Now, if $_SESSION['logged'] is true; in other words, it was set to true
> > before they visited the page (we'll look at login.php in a moment),
> > then we will include the proper file. So you build the page they were
> > supposed to see in index.inc, completly separate from the address they
> > type in.*
> >
> > If $_SESSION['logged'] is not true, then the script redirects to
> > login.php, with the get variaible of the page they were on.
> >
> > *Since index.inc is it's own file, and most often it is simply output
> > as text if requested, there's an obvious security hole. You need to
> > ensure, probably via .htaccess, that users are forbidden from seeing
> > .inc files. This should be a normal practice in any case; users should
> > never have any reason to see your included files.
> >
> > LOGIN.PHP
> > -----
> > <?php
> >
> > session_start();
> >
> > //RETRIEVE USERNAMES
> >
> > if ($_SERVER['REQUEST_METHOD'] == "POST")
> > {
> > $user = $_POST['user'];
> > $pass = sha1($_POST['pass']);
> >
> > if ($user == USER && $pass === PASS)
> > {
> > $_SESSION['logged'] = true;
> > if (isset($_GET['page']))
> > {
> > $url = $_GET['page'];
> > }
> > else
> > {
> > $url = 'welcome.php';
> > }
> >
> > header('Location: '.$url);
> > exit;
> > }
> > else
> > {
> > $warning = 'Username or Password is incorrect';
> > }
> > }
> >
> > ?>
> > <!-- LOGINPAGEHTMLGOESHERE -->
> > -----
> > This is the PHP for processing a login. It should go above the html
> > you want to display on the login page. $warning is a string to be
> > formatted and echoed, if it is set, somewhere on the page. You may
> > want to use a try-catch-throw instead, but for simplicity, that's how I
> > have it setup. The whole testing script only runs if the page was
> > accessed from a POST submission, so it will not run if the page is not
> > loaded from a form submission with a method="post" setting.
> >
> > You need some way of retrieving the usernames and passwords. This
> > script works well if there's only one user (an administer of something,
> > for instance) but would need to be modified if you're testing for
> > multiple users. I used a PHP comment to represent however you receive
> > your variables. In the example I'm using, I included a config file,
> > which set the constants USER and PASS. You may want a different setup.
> >
> > Then test if the username and password entered match with the ones on
> > file. SHA1() is used to encrypt the password, and you test against the
> > stored password, which was encrypted upon creation. If they match,
> > $_SESSION['logged'] is set (if you have multiple users, you should also
> > set a $_SESSION['user'] which stores their username). Then the user is
> > redirected; either to the page they came from, or to the welcome page.
> >
> > Note that the warning does not differentiate which entry was wrong -
> > username or password. That is intentional, and is an additional
> > security feature; a hacker won't even know if they've entered a correct
> > username.
> >
> > So there you go. It definitly needs modification, but it does work.
> >
>
> Thanks I give it a try.
> I'll tell you when it works
>
Is it posible to do this all in 1 file?
I Like to start with INDEX.PHP
There I like to login or choose a language.
After a bad login, I like to say it's wrong.
After a good login, I like to say hello+username.
Bad or good, you can choose always a language.
Navigation:
[Reply to this message]
|