Posted by Frits van Leeuwen on 07/02/24 11:55

"dimo414" <dimo414@gmail.com> schreef in bericht
news:1155376109.674219.164880@74g2000cwt.googlegroups.com...
> This is the method that I use. It's quite possible that it needs work,
> so if anyone would like to crituiqe it, I'd be glad to hear it. This
> is a rudimentary example, but gives you the gist:
>
> INDEX.PHP
> -----
> <?php
>
> session_start();
>
> if (!isset($_SESSION['logged']))
> {
> $_SESSION['logged'] = false;
> }
>
> if ($_SESSION['logged'])
> {
> require 'index.inc';
> exit;
> }
> else
> {
> header('Location: login.php?page=index.php');
> exit;
> }
>
> ?>
> -----
>
> Ok, let me explain, first we start sessions. Then, if there is no
> session variable 'logged' then we'll create it, and set it to false.
> In other words, if they haven't tried to log in yet, we're going to
> specify that they have not logged in. Possibly this is redundant, but
> I prefer being safe.
>
> Now, if $_SESSION['logged'] is true; in other words, it was set to true
> before they visited the page (we'll look at login.php in a moment),
> then we will include the proper file. So you build the page they were
> supposed to see in index.inc, completly separate from the address they
> type in.*
>
> If $_SESSION['logged'] is not true, then the script redirects to
> login.php, with the get variaible of the page they were on.
>
> *Since index.inc is it's own file, and most often it is simply output
> as text if requested, there's an obvious security hole. You need to
> ensure, probably via .htaccess, that users are forbidden from seeing
> .inc files. This should be a normal practice in any case; users should
> never have any reason to see your included files.
>
> LOGIN.PHP
> -----
> <?php
>
> session_start();
>
> //RETRIEVE USERNAMES
>
> if ($_SERVER['REQUEST_METHOD'] == "POST")
> {
> $user = $_POST['user'];
> $pass = sha1($_POST['pass']);
>
> if ($user == USER && $pass === PASS)
> {
> $_SESSION['logged'] = true;
> if (isset($_GET['page']))
> {
> $url = $_GET['page'];
> }
> else
> {
> $url = 'welcome.php';
> }
>
> header('Location: '.$url);
> exit;
> }
> else
> {
> $warning = 'Username or Password is incorrect';
> }
> }
>
> ?>
> <!-- LOGINPAGEHTMLGOESHERE -->
> -----
> This is the PHP for processing a login. It should go above the html
> you want to display on the login page. $warning is a string to be
> formatted and echoed, if it is set, somewhere on the page. You may
> want to use a try-catch-throw instead, but for simplicity, that's how I
> have it setup. The whole testing script only runs if the page was
> accessed from a POST submission, so it will not run if the page is not
> loaded from a form submission with a method="post" setting.
>
> You need some way of retrieving the usernames and passwords. This
> script works well if there's only one user (an administer of something,
> for instance) but would need to be modified if you're testing for
> multiple users. I used a PHP comment to represent however you receive
> your variables. In the example I'm using, I included a config file,
> which set the constants USER and PASS. You may want a different setup.
>
> Then test if the username and password entered match with the ones on
> file. SHA1() is used to encrypt the password, and you test against the
> stored password, which was encrypted upon creation. If they match,
> $_SESSION['logged'] is set (if you have multiple users, you should also
> set a $_SESSION['user'] which stores their username). Then the user is
> redirected; either to the page they came from, or to the welcome page.
>
> Note that the warning does not differentiate which entry was wrong -
> username or password. That is intentional, and is an additional
> security feature; a hacker won't even know if they've entered a correct
> username.
>
> So there you go. It definitly needs modification, but it does work.
>

Thanks I give it a try.
I'll tell you when it works


--------------------------------------------------------------------------------
Mijn Postvak In wordt beschermd door SPAMfighter
3823 spam-mails zijn er tot op heden geblokkeerd.
Download de gratis SPAMfighter vandaag nog!

[Back to original message]