Posted by dimo414 on 06/16/09 11:55

This is the method that I use. It's quite possible that it needs work,
so if anyone would like to crituiqe it, I'd be glad to hear it. This
is a rudimentary example, but gives you the gist:

INDEX.PHP
-----
<?php

session_start();

if (!isset($_SESSION['logged']))
{
$_SESSION['logged'] = false;
}

if ($_SESSION['logged'])
{
require 'index.inc';
exit;
}
else
{
header('Location: login.php?page=index.php');
exit;
}

?>
-----

Ok, let me explain, first we start sessions. Then, if there is no
session variable 'logged' then we'll create it, and set it to false.
In other words, if they haven't tried to log in yet, we're going to
specify that they have not logged in. Possibly this is redundant, but
I prefer being safe.

Now, if $_SESSION['logged'] is true; in other words, it was set to true
before they visited the page (we'll look at login.php in a moment),
then we will include the proper file. So you build the page they were
supposed to see in index.inc, completly separate from the address they
type in.*

If $_SESSION['logged'] is not true, then the script redirects to
login.php, with the get variaible of the page they were on.

*Since index.inc is it's own file, and most often it is simply output
as text if requested, there's an obvious security hole. You need to
ensure, probably via .htaccess, that users are forbidden from seeing
..inc files. This should be a normal practice in any case; users should
never have any reason to see your included files.

LOGIN.PHP
-----
<?php

session_start();

//RETRIEVE USERNAMES

if ($_SERVER['REQUEST_METHOD'] == "POST")
{
$user = $_POST['user'];
$pass = sha1($_POST['pass']);

if ($user == USER && $pass === PASS)
{
$_SESSION['logged'] = true;
if (isset($_GET['page']))
{
$url = $_GET['page'];
}
else
{
$url = 'welcome.php';
}

header('Location: '.$url);
exit;
}
else
{
$warning = 'Username or Password is incorrect';
}
}

?>
<!-- LOGINPAGEHTMLGOESHERE -->
-----
This is the PHP for processing a login. It should go above the html
you want to display on the login page. $warning is a string to be
formatted and echoed, if it is set, somewhere on the page. You may
want to use a try-catch-throw instead, but for simplicity, that's how I
have it setup. The whole testing script only runs if the page was
accessed from a POST submission, so it will not run if the page is not
loaded from a form submission with a method="post" setting.

You need some way of retrieving the usernames and passwords. This
script works well if there's only one user (an administer of something,
for instance) but would need to be modified if you're testing for
multiple users. I used a PHP comment to represent however you receive
your variables. In the example I'm using, I included a config file,
which set the constants USER and PASS. You may want a different setup.

Then test if the username and password entered match with the ones on
file. SHA1() is used to encrypt the password, and you test against the
stored password, which was encrypted upon creation. If they match,
$_SESSION['logged'] is set (if you have multiple users, you should also
set a $_SESSION['user'] which stores their username). Then the user is
redirected; either to the page they came from, or to the welcome page.

Note that the warning does not differentiate which entry was wrong -
username or password. That is intentional, and is an additional
security feature; a hacker won't even know if they've entered a correct
username.

So there you go. It definitly needs modification, but it does work.

[Back to original message]