 PHP Based Site Access Authentication - Help, How to block parts of your web-site ?? |
|
|
|
|
  |
 Feb 19 2005, 11:26 AM
Post
#1
|
|
|
Newbie [ Level 2 ]  Group: Members Posts: 13 Joined: 6-October 04 Member No.: 1,036  |
How can i program my web page using php that when the value of the login box is equal to some string then go to my success.html
otherwise on my fail.html????help me guys! ------------------------------------ It would help the readers far better to understand what your problem is - if you state the nature of it in short in your topic title, instead of just "Php help". It'll also get you a lot more responses. Am changing your topic title to give you an example. All the best  m^e |
 |
 
|
|
Feb 19 2005, 01:27 PM
Post
#2
|
|
|
Premium Member  Group: [HOSTED] Posts: 336 Joined: 22-September 04 Member No.: 798 |
go for this:
CODE <?php // first part: settings. change these like you want and like they should be define("CORRECT_LOGIN","..."); // instead of the ..., put the username you are talking about. define("PAGE_CORRECT","success.html"); //change this one in something nobody will guess so they can't skip the login page. it's not really safe, but it's something define("PAGE_WRONG","fail.html"); //second part. code. don't change here if (isset($_POST["login")){ if($_POST["login"]==CORRECT_LOGIN){ header("Location: ".PAGE_CORRECT); exit; } else{ header("Location: ".PAGE_WRONG); exit; } } else{ //next part is just html, you can change here if you want to adjust layout and ****. be carefull when changing the form though ?> <html><head><title>blabla</title></head><body> <form method="post"> login: <input type="text" name="login"><br> <input type="submit" value="login"> </form> </body> </html> <? } ?> it's not tested though. i'm to lazy to start up linux to do so and i still can't access my ftp of astahost, so i can't test it there either ;( but except for some small mistakes, it should work |
|
|
|
|
Feb 19 2005, 04:43 PM
Post
#3
|
|
|
PsYcheDeLiC dR3aMeR  Group: Admin Posts: 2,242 Joined: 29-January 05 From: Nakorn Chaisri, Thailand Member No.: 2,411 |
[/tab]marjinn - your code works but there's one big flaw. Once you know the name of this page (if you are a regular visitor you'd know for sure) - then you can totally bypass this authentication page and go to that success.html directly. Nothing can stop you....even if you give the page an extremely cryptic name - all you need to do it note it down (just copy paste it
 )...Here's another solution I found - and gave it a try too on my server.. It works without a hitch. The authentication is done in the AstaHost cPanel style - exactly like the box that pops-up in your browser asking for login/pass combo. The concept is to NOT HAVE the authentication code in another web-page that loads your "success.html" - but to have it embedded in the success.html ITSELF. That'll completely block you out from success.html if you don't enter a pair of valid credentials. This way even if you know the name of the page - ie success.html here - your page won't be displayed to you unless you can verify yourself.... Here's the working code from what I learnt today. CODE <?php // HTTP Header-based Authenticatoion test // This is the actual function that matches the username/password combo with a list // in some database or flat file function validate_user ($username, $password) { // This is just a sample array containing two username/passes // In your real program, you should ideally load a matching password // from some database or file depending on the username entered and check // accordingly $userlist = array('micro' => 'pass', 'earth' => 'pass'); // Checks if the password matches the corresponding user if (isset($userlist[$username]) && ($userlist[$username] == $password)) { return true; // If match --> return true } else { return false; // No match --> return false } } // This is the actual code that makes the browser pop-up the authentication box and then // display the rest of your page if authentication goes fine. if (!validate_user($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { // Feel free to modify the Basic realm="......" part, i.e. the string within the // quotes (""). I've used "Protected Zone" here --> you can change it to whatever...That's // what will appear in your pop-up login box. header('WWW-Authenticate: Basic realm="Protected Zone"'); header('HTTP/1.0 401 Unauthorized'); // Display a custom error message - change it to whatever you feel like echo "You didn't say the magic word. Access denied."; exit; } else { // Show a welcome message if user/pass combo is correct echo "Welcome to the Protected Zone."; // Rest of your protected page goes here // ............ // ............................ // ....................................... } ?> [tab]I don't think much is needed in the way of an explanation - coz I inserted a good amount of comments in there... Still here's a brief note on the parts that I missed out on. The $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are global variables that contain the username and password supplied by the user during the auth. process. Notice the QUOTE header('WWW-Authenticate: Basic realm="Protected Zone"'); header('HTTP/1.0 401 Unauthorized'); part. When your browser receives the 401 header, it pops up that dialog box for user/pass. On validation, it loads the rest of your page - if its a mismatch or Cancel is pressed - the code exits right then and denies access to the rest of the page. The Basic realm in the first line of the header makes the current page a part of the authenticated realm you are trying to enter. Note: ANY OTHER PAGE with the same Basic realm="xxx" header will be thus accessible with JUST ONE LOGIN. If you want to protect another set of pages for a different group of users, just use a different Basic realm name for those pages. Also, once you enter a set of valid credentials, your browser wouldn't ask you again - even if you reload the page. You're authenticated for good till you close that window and exit the site in process. That's the only flip side of this code - it doesn't provide you with a clean method to LOGOUT, although you could use a combination of cookies/session with this to achieve a logout effect. More on that later... Hope this helps |
|
|
|
|
Feb 23 2005, 07:07 AM
Post
#4
|
|
|
Super Member Group: Members Posts: 595 Joined: 4-September 04 Member No.: 228 |
I have programmed my own system for PHP authentication. It uses PHP sessions and MySQL database.
If you're not using HTTP authentication PHP sessions is the way to go. You mihgt have noticed that most PHP systems (like forums) do the authentication with sessions. However sessions aren't that secure... If you just set a certain sessions variable (like $_SESSION['logged_in']=true;) it is actually quite easy to go in without knowing the password. Session IDs are passed at the end of url (if cookies are not available) and people pass links to each other... There are countless of pages in the web about session insecurity so I'm not going to repeat everything here... As sessions aren't secure enough, you need something to go with it. To avoid these sessions hijackings, saving the users IP address and checking against it on everytime login is checked helps. My system includes this. On login it simply dumps the session ID and user IP to a database table. Then of course timestamp needs to be updated everytime the users logs in or login is checked, otherwise the old sid's and IPs would mess up the system. This solution isn't perfect... People are behind same IP addresses (proxies) and IP spoofing is possible. But it's still better than basic session or let alone cookie system. Just remember that you should be using a authentication system adequate to your system. |
|
|
|
|
Mar 20 2006, 03:09 PM
Post
#5
|
|
|
Member [ Level 1 ] Group: Members Posts: 42 Joined: 17-March 06 From: Russia, St.Petersburg Member No.: 12,058 |
Registering:
CODE <?php Error_Reporting(E_ALL & ~E_NOTICE); if($login&&$password&&$email) { if(file_exists("users/$login")) { $mess="Ник занят!"; } else { mkdir("users/$login", 0777); $fp=fopen("users/$login/main.txt", "w"); fwrite($fp, "$password|$email"); fclose($fp); $mess="Успешно."; } } else { $mess="Регистрация"; } ?> <html> <head> <title>Регистрация</title> </head> <link rel="stylesheet" type="text/css" href="sources/style.css"> <body onload="java script: a=document.getElementsByTagName('img');for(n=0;n<a.length;n++){i=a[n]; if(i.width==468&&i.height==60){i.style.display='none';}}void 0;" style="margin-top: 130px;" background="sources/reg.jpg"> <center> <table style="background-image: url(sources/perg.jpg);"> <form action="reg.php" method="post"> <tr colspan="2"> <td colspan="2" class=hid><center><?=$mess;?></center></td> </tr> <tr> <td class=hid>Логин: </td> <td class=hid><input type="text" name="login" maxlength="30"> </td> </tr> <tr> <td class=hid>Пароль:</font> </td> <td class=hid><input type="password" name="password" maxlength="30"> </td> </tr> <tr> <td class=hid>E-mail:</font> </td> <td class=hid><input type="text" name="email" maxlength="30"> </td> </tr> <tr> <td class=hid><input type="submit" value="Готово"> </td> <td class=hid><input type="button" value="Закрыть" onclick='java script:window.close();'> </td> </tr> </form> </table> </center> </body> </html> Checking when enters: CODE <?php Error_Reporting(E_ALL & ~E_NOTICE); if($login&&$password) { if(file_exists("sources/list.txt")) { $fp=fopen("sources/list.txt", "r"); $lis=""; while(!feof($fp)) { $lis.=fread($fp, 5016); } fclose($fp); $all=explode("|",$lis); foreach($all as $usr) { if($usr==$login) { $t=$usr; break; } } if($t) { $fp=fopen("users/$t/main.txt", "r"); $line=fgets($fp, 1024); $u=explode("|", $line); if($u[0]==$password) { $tr=1; } else { $mess="Ошибочный пароль!"; } } else { $mess="Ошибочный ник!"; } } else { $mess="Зарегистрируйтесь!"; } } else { $mess="Санриум"; } if($tr) { session_start(); session_register("login"); session_register("password"); Header("Location: game.php?PHPSESSID=$PHPSESSID"); } ?> Checking while travelling on the site: CODE <?php Error_Reporting(E_ALL & ~E_NOTICE); if($login&&$password) { if(file_exists("sources/list.txt")) { $fp=fopen("sources/list.txt", "r"); $lis=""; while(!feof($fp)) { $lis.=fread($fp, 5016); } fclose($fp); $all=explode("|",$lis); foreach($all as $usr) { if($usr==$login) { $t=$usr; break; } } if($t) { $fp=fopen("users/$t/main.txt", "r"); $line=fgets($fp, 1024); $u=explode("|", $line); if($u[0]==$password) { $tr=1; } else { Header("Location: index.php"); } } else { Header("Location: index.php"); } } else { Header("Location: index.php"); } } else { Header("Location: index.php"); } ?> P.S. Don't forget about session_start(); in the beginning 
|
|
|
|
|
Similar Topics
|
Lo-Fi Version | Time is now: 10th October 2008 - 08:02 PM |