|
|
CODE <?php // first part: settings. change these like you want and like they should be define("CORRECT_LOGIN","..."); // instead of the ..., put the username you are talking about. define("PAGE_CORRECT","success.html"); //change this one in something nobody will guess so they can't skip the login page. it's not really safe, but it's something define("PAGE_WRONG","fail.html"); //second part. code. don't change here if (isset($_POST["login")){ if($_POST["login"]==CORRECT_LOGIN){ header("Location: ".PAGE_CORRECT); exit; } else{ header("Location: ".PAGE_WRONG); exit; } } else{ //next part is just html, you can change here if you want to adjust layout and ****. be carefull when changing the form though ?> <html><head><title>blabla</title></head><body> <form method="post"> login: <input type="text" name="login"><br> <input type="submit" value="login"> </form> </body> </html> <? } ?> it's not tested though. i'm to lazy to start up linux to do so and i still can't access my ftp of astahost, so i can't test it there either ;( but except for some small mistakes, it should work
[/tab]marjinn - your code works but there's one big flaw. Once you know the name of this page (if you are a regular visitor you'd know for sure) - then you can totally bypass this authentication page and go to that success.html directly. Nothing can stop you....even if you give the page an extremely cryptic name - all you need to do it note it down (just copy paste it
 )...Here's another solution I found - and gave it a try too on my server.. It works without a hitch. The authentication is done in the AstaHost cPanel style - exactly like the box that pops-up in your browser asking for login/pass combo. The concept is to NOT HAVE the authentication code in another web-page that loads your "success.html" - but to have it embedded in the success.html ITSELF. That'll completely block you out from success.html if you don't enter a pair of valid credentials. This way even if you know the name of the page - ie success.html here - your page won't be displayed to you unless you can verify yourself.... Here's the working code from what I learnt today. CODE <?php // HTTP Header-based Authenticatoion test // This is the actual function that matches the username/password combo with a list // in some database or flat file function validate_user ($username, $password) { // This is just a sample array containing two username/passes // In your real program, you should ideally load a matching password // from some database or file depending on the username entered and check // accordingly $userlist = array('micro' => 'pass', 'earth' => 'pass'); // Checks if the password matches the corresponding user if (isset($userlist[$username]) && ($userlist[$username] == $password)) { return true; // If match --> return true } else { return false; // No match --> return false } } // This is the actual code that makes the browser pop-up the authentication box and then // display the rest of your page if authentication goes fine. if (!validate_user($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { // Feel free to modify the Basic realm="......" part, i.e. the string within the // quotes (""). I've used "Protected Zone" here --> you can change it to whatever...That's // what will appear in your pop-up login box. header('WWW-Authenticate: Basic realm="Protected Zone"'); header('HTTP/1.0 401 Unauthorized'); // Display a custom error message - change it to whatever you feel like echo "You didn't say the magic word. Access denied."; exit; } else { // Show a welcome message if user/pass combo is correct echo "Welcome to the Protected Zone."; // Rest of your protected page goes here // ............ // ............................ // ....................................... } ?> [tab]I don't think much is needed in the way of an explanation - coz I inserted a good amount of comments in there... Still here's a brief note on the parts that I missed out on. The $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are global variables that contain the username and password supplied by the user during the auth. process. Notice the QUOTE header('WWW-Authenticate: Basic realm="Protected Zone"'); header('HTTP/1.0 401 Unauthorized'); part. When your browser receives the 401 header, it pops up that dialog box for user/pass. On validation, it loads the rest of your page - if its a mismatch or Cancel is pressed - the code exits right then and denies access to the rest of the page. The Basic realm in the first line of the header makes the current page a part of the authenticated realm you are trying to enter. Note: ANY OTHER PAGE with the same Basic realm="xxx" header will be thus accessible with JUST ONE LOGIN. If you want to protect another set of pages for a different group of users, just use a different Basic realm name for those pages. Also, once you enter a set of valid credentials, your browser wouldn't ask you again - even if you reload the page. You're authenticated for good till you close that window and exit the site in process. That's the only flip side of this code - it doesn't provide you with a clean method to LOGOUT, although you could use a combination of cookies/session with this to achieve a logout effect. More on that later... Hope this helps 
I have programmed my own system for PHP authentication. It uses PHP sessions and MySQL database.
If you're not using HTTP authentication PHP sessions is the way to go. You mihgt have noticed that most PHP systems (like forums) do the authentication with sessions. However sessions aren't that secure... If you just set a certain sessions variable (like $_SESSION['logged_in']=true;) it is actually quite easy to go in without knowing the password. Session IDs are passed at the end of url (if cookies are not available) and people pass links to each other... There are countless of pages in the web about session insecurity so I'm not going to repeat everything here... As sessions aren't secure enough, you need something to go with it. To avoid these sessions hijackings, saving the users IP address and checking against it on everytime login is checked helps. My system includes this. On login it simply dumps the session ID and user IP to a database table. Then of course timestamp needs to be updated everytime the users logs in or login is checked, otherwise the old sid's and IPs would mess up the system. This solution isn't perfect... People are behind same IP addresses (proxies) and IP spoofing is possible. But it's still better than basic session or let alone cookie system. Just remember that you should be using a authentication system adequate to your system.
Registering:
CODE <?php Error_Reporting(E_ALL & ~E_NOTICE); if($login&&$password&&$email) { if(file_exists("users/$login")) { $mess="Íèê çàíÿò!"; } else { mkdir("users/$login", 0777); $fp=fopen("users/$login/main.txt", "w"); fwrite($fp, "$password|$email"); fclose($fp); $mess="Óñïåøíî."; } } else { $mess="Ðåãèñòðàöèÿ"; } ?> <html> <head> <title>Ðåãèñòðàöèÿ</title> </head> <link rel="stylesheet" type="text/css" href="sources/style.css"> <body onload="java script: a=document.getElementsByTagName('img');for(n=0;n<a.length;n++){i=a[n]; if(i.width==468&&i.height==60){i.style.display='none';}}void 0;" style="margin-top: 130px;" background="sources/reg.jpg"> <center> <table style="background-image: url(sources/perg.jpg);"> <form action="reg.php" method="post"> <tr colspan="2"> <td colspan="2" class=hid><center><?=$mess;?></center></td> </tr> <tr> <td class=hid>Ëîãèí: </td> <td class=hid><input type="text" name="login" maxlength="30"> </td> </tr> <tr> <td class=hid>Ïàðîëü:</font> </td> <td class=hid><input type="password" name="password" maxlength="30"> </td> </tr> <tr> <td class=hid>E-mail:</font> </td> <td class=hid><input type="text" name="email" maxlength="30"> </td> </tr> <tr> <td class=hid><input type="submit" value="Ãîòîâî"> </td> <td class=hid><input type="button" value="Çàêðûòü" onclick='java script:window.close();'> </td> </tr> </form> </table> </center> </body> </html> Checking when enters: CODE <?php Error_Reporting(E_ALL & ~E_NOTICE); if($login&&$password) { if(file_exists("sources/list.txt")) { $fp=fopen("sources/list.txt", "r"); $lis=""; while(!feof($fp)) { $lis.=fread($fp, 5016); } fclose($fp); $all=explode("|",$lis); foreach($all as $usr) { if($usr==$login) { $t=$usr; break; } } if($t) { $fp=fopen("users/$t/main.txt", "r"); $line=fgets($fp, 1024); $u=explode("|", $line); if($u[0]==$password) { $tr=1; } else { $mess="Îøèáî÷íûé ïàðîëü!"; } } else { $mess="Îøèáî÷íûé íèê!"; } } else { $mess="Çàðåãèñòðèðóéòåñü!"; } } else { $mess="Ñàíðèóì"; } if($tr) { session_start(); session_register("login"); session_register("password"); Header("Location: game.php?PHPSESSID=$PHPSESSID"); } ?> Checking while travelling on the site: CODE <?php Error_Reporting(E_ALL & ~E_NOTICE); if($login&&$password) { if(file_exists("sources/list.txt")) { $fp=fopen("sources/list.txt", "r"); $lis=""; while(!feof($fp)) { $lis.=fread($fp, 5016); } fclose($fp); $all=explode("|",$lis); foreach($all as $usr) { if($usr==$login) { $t=$usr; break; } } if($t) { $fp=fopen("users/$t/main.txt", "r"); $line=fgets($fp, 1024); $u=explode("|", $line); if($u[0]==$password) { $tr=1; } else { Header("Location: index.php"); } } else { Header("Location: index.php"); } } else { Header("Location: index.php"); } } else { Header("Location: index.php"); } ?> P.S. Don't forget about session_start(); in the beginning 
Recent Queries:-
Keywords : php, based, site, access, authentication, block, parts, web, site
The character data (17) Ok I need help on this puzzling problem. At first I thought that this person stored the dates in the A PHP -and JavaScript- based File Manager (7) Browsing the ExtJS examples website i found this excellent web-based file manager called (3) I'm trying to set up some tools for a number of developers to use in the creation of a PHP Help #2 -- I need help tweaking it - it won't work (1) Okay, my first issue about the MySQL echo problem has been solved, thank you to those who helped. May be the admin of this site think over it. (3) Hi As we all know that this website is very good and offering good services. I just wanna know if Authorization server variables not staying across pages (14) This is quite a bit of problem I am facing, and I cannot point exactly where I am going wrong. I (5) Dear Friends I have been trying to connect Ms Access using PHP for couples of days. Finally I have (7) I am new to php. I have some programing background in html, javascript, and c++ but have never done (8) I'm making a financial site based on PHP/MySQL, there are two sections in that site, first (4) how can i make a gallery in php like this one; but it has to show the images in the maps under it (2) Hey guys i need a simple help i'm builing a homesite and i have a little spot for news. Well i (6) If you have one site in diferent laanguages, this simple script can redirect the user to the correct (4) I'm writing a mail checker in PHP. I need to access the POP server. In PHP, I can send mail. But Help Needed (20) is it possible to make a page in php, with a url like this: (1) My professor is designing a website that uses bit-flag checking to allow access to certain pages. (9) Today, I was thinking of experementing with Authentication tricks in PHP. I just came up with this this semple code to use and get cookie (1) what is the cookie ? the cookis it is some info sent and save in user computer whare i can use the (2) Repeat post. Credits reduced by 5 days. Learn to USE THE SEARCH BUTTON before you make such posts. (9) Hi guys, Need some serious scripting help. I'm trying to come up with a web-based compiler. Request For Help. (8) So I need help getting data entered into my log correctly. I want the newest entry to be at the (6) I'm thinking of having some kind of system so the users can register and then put up their (13) I want a good Site counter(to keep track of visitors) for my site..... can nebody temme..... (9) hi i need a php or java script code for downloading files from other sites to my site for example: (7) how do u make it that only a member of that site can view that page?.... Looking for php, based, site, access, authentication, block, parts, web, site
|
 PHP Based Site Access Authentication - Help - How to block parts of your web-site ?? |