Log In Authentication

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • Skipper02
    Sergeant

    • Jun 2008
    • 25

    Log In Authentication

    I have created a test login page so that once a user logs in with correct credentials he/she should be directed to the main page.

    The log in page is at: www.studykitchen.com/login.php
    The main page page is at: www.studykitchen.com/main.php
    I am collecting the data from the log in page and processing it in authenticate page with the following code: www.studykitchen.com/authenticate.php

    The code is executing without any errors and I am getting the message, "Log in successful" but it is not redirecting to the main page. I have highlighted the line that I think is responsible for this malfunction. Please help.

    The code that I am using is:

    <?php
    foreach
    ($_POSTas$key=>$value){

    if
    ($key!="submit"){

    $value
    =htmlentities(stripslashes(strip_tags($value )));

    echo
    "\t<input type=\"hidden\" name=\"$key\" value=\"$value\">\n";
    }
    }

    $errorMessage
    = '';

    if
    (isset($_POST['Email']) && isset($_POST['Password'])) {

    $db_host
    = "localhost";

    $db_user
    = "XXXXX_YYYYY";

    $db_password
    = "AAAAAA";

    $db_name
    ="BBBBB_CCCCC";

    $db
    = mysql_connect($db_host, $db_user, $db_password);

    if
    ($db == FALSE){

    $error
    = "Could not connect to the Database Server. Please check user details. Error = ". mysql_error();

    exit
    ($error);
    }

    echo
    "Completed DB connection";
    mysql_select_db(
    $db_name, $db);

    if
    (!mysql_select_db($db_name, $db)) {

    $error
    = "Could not select Database. Please check user details. Error = ". mysql_error();

    exit
    ($error);
    }

    echo
    "Completed DB selection";
    $userId = $_POST['Email'];
    $password = $_POST['Password'];

    // check if the user id and password combination exist in database

    $sql = "SELECT Email
    FROM UserDetails
    WHERE Email = '
    $userId'
    AND Password = '
    $password'";
    $result = mysql_query($sql, $db);
    if (mysql_num_rows($result) == 1) {
    // the user id and password match,

    // set the session

    $_SESSION['db_is_logged_in'] = true;

    echo
    "Log in successful";
    // after login we move to the main page

    header(
    "Location: http://www.studykitchen.com/main.php");
    exit;
    }
    else {
    $errorMessage = 'Sorry, wrong user id / password';
    }
    mysql_close(
    $db);
    }

    ?>
  • Watdaflip
    Major General

    • Sep 2005
    • 2116

    #2
    Re: Log In Authentication

    Hey,

    First of all your session isn't going to work, you need to add

    PHP Code:
    session_start(); 
    before attempting to do anything with sessions, as well as before any output.

    As for the redirect issue, you can't use header() if they has been any previous output (all of the echo's). You need to do something like reordering your logic, or saving any output into a variable and displaying it at a certain point toward the end of your file.

    Lastly, I don't know how secure your site needs to be, but using a simple flag to determine is the user is logged in is not a good idea and you should encrypt the password. You should re-validate if the user is logged in on each and every page they load, which means storing the username and password (encrypted of course) in the session.

    Hope that helps

    Register/Login Script
    Do you use a Password Protected Directory? Need a way to allow users to make their own account, try my .htaccess Login Script

    Comment

    • Skipper02
      Sergeant

      • Jun 2008
      • 25

      #3
      Re: Log In Authentication

      Watdaflip,

      Thanks for your help. I could resolve the redirect issue with your guidance.

      I do like your suggestion about storing the encrypted username and password in every session and revalidating it in every page. However, I am new to programing in PHP and don't yet know how to encrypt those two variables and implement your suggestion. Any advice will be highly appreciated.

      Again thanks a lot for helping me resolve the page redirect issue.

      Regards

      Comment

      • Watdaflip
        Major General

        • Sep 2005
        • 2116

        #4
        Re: Log In Authentication

        All you have to do to encrypt is use a function (two best are md5() and sha1()).

        So for instance say you have

        PHP Code:
        $username $_POST['username']; // validate the data of course to make sure its nothing harmful
        $password $_POST['password'];

        $enc_pass md5($password); // returns a 32 character string unique to to that password;

        // query database and check

        // if true
        $_SESSION['username'] = $username;
        $_SESSION['password'] = $enc_pass;
        echo 
        "You are logged in";

        // if false 
        echo "Failed to login"
        And then on any page you want to validate the login just..
        PHP Code:
        <?
        session_start();
        $username = $_SESSION['username'];
        $password = $_SESSION['password'];
        // run query

        if(mysql_num_rows($query) != 1)
        {
        unset($_SESSION['username'], $_SESSION['password']); // clear bad username/password from session;
        header("location: your_login_form.php"); // redirect for them to login again
        }
        Hope that helps

        Register/Login Script
        Do you use a Password Protected Directory? Need a way to allow users to make their own account, try my .htaccess Login Script

        Comment

        • Skipper02
          Sergeant

          • Jun 2008
          • 25

          #5
          Re: Log In Authentication

          Watdaflip, thank you so much!!!

          Comment

          • Skipper02
            Sergeant

            • Jun 2008
            • 25

            #6
            Re: Log In Authentication

            Watdaflip,

            I followed your suggestion and wrote the following code but not getting the desired results. Obviously I am doing something wrong.

            The code for the login page is:

            <?php
            session_start();
            if (isset($_POST['Email']) && isset($_POST['Password'])) {
            $db_host= "localhost";
            $db_user = "XXXX_YYYY";
            $db_password = "ZZZZ";
            $db_name ="XXXX_StudyKitchenData";
            $db = mysql_connect($db_host, $db_user, $db_password);
            mysql_select_db($db_name, $db);
            $userId = $_POST['Email'];
            $password = $_POST['Password'];
            $sql = "SELECT Email FROM UserDetails WHERE Email = '$userId' AND Password = '$password'";
            $result = mysql_query($sql, $db);
            if (mysql_num_rows($result) == 1) {
            $_SESSION['userId'] = $userId;
            $_SESSION['password']= $password;
            header("Location: http://www.studykitchen.com/main.php");
            exit;
            } else {
            echo'Sorry, wrong user id / password';
            }
            mysql_close($db);
            }
            ?>

            This code works fine and takes me to the main page if I provide the correct credentials. But if I change the highlighted lines to the following then it doesn't take me to the main page but remains on the login page itself:

            $_SESSION['userId'] = md5($userId);
            $_SESSION['password']= md5($password);


            For the main page I am using the following code:

            <?php
            session_start();
            $userId = $_SESSION['userId'];
            $password = $_SESSION['password'];
            $db_host= "localhost";
            $db_user = "XXXX_YYYY";
            $db_password = "ZZZZ";
            $db_name ="tuwipwa_StudyKitchenData";
            $db = mysql_connect($db_host, $db_user, $db_password);
            mysql_select_db($db_name, $db);
            $sql = "SELECT Email FROM UserDetails WHERE Email = '$userId' AND Password = '$password'";
            $result = mysql_query($sql, $db);
            if(mysql_num_rows($result) != 1){
            unset($_SESSION['userId'], $_SESSION['password']); // clear bad username/password from session;
            header("location:http://www.studykitchen.com/login.php"); // redirect for them to login again
            }
            ?>

            But this is doing no good as I can enter the main page without going through the login page so the session is not being maintained.

            Please help.

            Comment

            Working...
            X