|
|
Posted by Flaming Corncob on 08/15/06 09:57
In article <7b833$44e17d93$c2ab6db8$8035@news1.tudelft.nl>,
"Frits van Leeuwen" <Frits.vanLeeuwen@nospam.nl> wrote:
> > > This is the method that I use. It's quite possible that it needs work,
> > > so if anyone would like to crituiqe it, I'd be glad to hear it. This
> > > is a rudimentary example, but gives you the gist:
> > >
> > > INDEX.PHP
> > > -----
> > > <?php
> > >
> > > session_start();
> > >
> > > if (!isset($_SESSION['logged']))
> > > {
> > > $_SESSION['logged'] = false;
> > > }
> > >
> > > if ($_SESSION['logged'])
> > > {
> > > require 'index.inc';
> > > exit;
> > > }
> > > else
> > > {
> > > header('Location: login.php?page=index.php');
> > > exit;
> > > }
> > >
> > > ?>
> > > -----
> > >
> > > Ok, let me explain, first we start sessions. Then, if there is no
> > > session variable 'logged' then we'll create it, and set it to false.
> > > In other words, if they haven't tried to log in yet, we're going to
> > > specify that they have not logged in. Possibly this is redundant, but
> > > I prefer being safe.
> > >
> > > Now, if $_SESSION['logged'] is true; in other words, it was set to true
> > > before they visited the page (we'll look at login.php in a moment),
> > > then we will include the proper file. So you build the page they were
> > > supposed to see in index.inc, completly separate from the address they
> > > type in.*
> > >
> > > If $_SESSION['logged'] is not true, then the script redirects to
> > > login.php, with the get variaible of the page they were on.
> > >
> > > *Since index.inc is it's own file, and most often it is simply output
> > > as text if requested, there's an obvious security hole. You need to
> > > ensure, probably via .htaccess, that users are forbidden from seeing
> > > .inc files. This should be a normal practice in any case; users should
> > > never have any reason to see your included files.
> > >
> > > LOGIN.PHP
> > > -----
> > > <?php
> > >
> > > session_start();
> > >
> > > //RETRIEVE USERNAMES
> > >
> > > if ($_SERVER['REQUEST_METHOD'] == "POST")
> > > {
> > > $user = $_POST['user'];
> > > $pass = sha1($_POST['pass']);
> > >
> > > if ($user == USER && $pass === PASS)
> > > {
> > > $_SESSION['logged'] = true;
> > > if (isset($_GET['page']))
> > > {
> > > $url = $_GET['page'];
> > > }
> > > else
> > > {
> > > $url = 'welcome.php';
> > > }
> > >
> > > header('Location: '.$url);
> > > exit;
> > > }
> > > else
> > > {
> > > $warning = 'Username or Password is incorrect';
> > > }
> > > }
> > >
> > > ?>
> > > <!-- LOGINPAGEHTMLGOESHERE -->
> > > -----
> > > This is the PHP for processing a login. It should go above the html
> > > you want to display on the login page. $warning is a string to be
> > > formatted and echoed, if it is set, somewhere on the page. You may
> > > want to use a try-catch-throw instead, but for simplicity, that's how I
> > > have it setup. The whole testing script only runs if the page was
> > > accessed from a POST submission, so it will not run if the page is not
> > > loaded from a form submission with a method="post" setting.
> > >
> > > You need some way of retrieving the usernames and passwords. This
> > > script works well if there's only one user (an administer of something,
> > > for instance) but would need to be modified if you're testing for
> > > multiple users. I used a PHP comment to represent however you receive
> > > your variables. In the example I'm using, I included a config file,
> > > which set the constants USER and PASS. You may want a different setup.
> > >
> > > Then test if the username and password entered match with the ones on
> > > file. SHA1() is used to encrypt the password, and you test against the
> > > stored password, which was encrypted upon creation. If they match,
> > > $_SESSION['logged'] is set (if you have multiple users, you should also
> > > set a $_SESSION['user'] which stores their username). Then the user is
> > > redirected; either to the page they came from, or to the welcome page.
> > >
> > > Note that the warning does not differentiate which entry was wrong -
> > > username or password. That is intentional, and is an additional
> > > security feature; a hacker won't even know if they've entered a correct
> > > username.
> > >
> > > So there you go. It definitly needs modification, but it does work.
> > >
> >
> > Thanks I give it a try.
> > I'll tell you when it works
> >
> Is it posible to do this all in 1 file?
> I Like to start with INDEX.PHP
> There I like to login or choose a language.
> After a bad login, I like to say it's wrong.
> After a good login, I like to say hello+username.
> Bad or good, you can choose always a language.
I just posted my own code... using a 1-page format. It works.
[Back to original message]
|