Making a page secure

evil-monkey

I have a page on a website that I want accessed by certain people only.

To get to this page, you are redirected from a login page that contains a PHP login script tied to a database. When you login there you are redirected to the page. That all works fine.

The thing is, the page that I want secured, is just a normal page that could be accessed by anyone who knows the URL. How can I have it so that the page can only be accessed when redirected to through the login page??

Thanks in advance

seamus

There are a number of ways. Cookies are one. Basically when the person successfully logs in, you set a cookie which says this. Then the other page checks to see if this cookie exists, and if it doesn't: Access Denied.

That's a rudimentary way of doing it, but assuming you haven't got state secrets or personal data in your secure area, it should be good enough.

hobochris

seamus wrote: »

There are a number of ways. Cookies are one. Basically when the person successfully logs in, you set a cookie which says this. Then the other page checks to see if this cookie exists, and if it doesn't: Access Denied.

That's a rudimentary way of doing it, but assuming you haven't got state secrets or personal data in your secure area, it should be good enough.

+1

I usually use a random number generator,I put the generated number into a cookie and a copy into the session, the cookie is checked against the session and reassigned at every page load.

This prevents people using the URL if they know it or trying to manipulate the session.

evil-monkey

Ok. That makes sense. Thanks for the help.

Anyone have an example of the code??

seamus

This should help:
http://www.w3schools.com/PHP/php_cookies.asp

Cookies can be a bit painful when you're first working with them, but they're dead simple really.

elyod

You should use a Session variable not a cookie.

When a users details are validated you set a session variable, e.g.
[php]
session_start();
//verify user details
$_SESSION = $users_id;
//redirect off to the secure page
[/php]

Create a file called auth.php. In this you check for the existence of the Session variable. If the variable does not exists you redirect them back to the log in page.

[php]
<?php
session_start();

if(!isset($_SESSION) || (trim(@$_SESSION)==''))
{//if no SESSION var exists, redirect user to login and kill the script
header("location: login.php");
exit();
}
?>
[/php]

On any page you want to have password protected, you simply add this to the top
[php]
<?php
include_once('auth.php');
?>
[/php]

Webmonkey

evil-monkey wrote: »

I have a page on a website that I want accessed by certain people only.

To get to this page, you are redirected from a login page that contains a PHP login script tied to a database. When you login there you are redirected to the page. That all works fine.

The thing is, the page that I want secured, is just a normal page that could be accessed by anyone who knows the URL. How can I have it so that the page can only be accessed when redirected to through the login page??

Thanks in advance

Use sessions as Elyod suggested, they will look after the cookies for you indirectly.

evil-monkey

elyod wrote: »

You should use a Session variable not a cookie.

When a users details are validated you set a session variable, e.g.
[php]
session_start();
//verify user details
$_SESSION = $users_id;
//redirect off to the secure page
[/php]Create a file called auth.php. In this you check for the existence of the Session variable. If the variable does not exists you redirect them back to the log in page.

[php]
<?php
session_start();

if(!isset($_SESSION) || (trim(@$_SESSION)==''))
{//if no SESSION var exists, redirect user to login and kill the script
header("location: login.php");
exit();
}
?>
[/php]On any page you want to have password protected, you simply add this to the top
[php]
<?php
include_once('auth.php');
?>
[/php]

Ok, a few things (sorry now, I'm new to PHP).

I have a login.php file was follows;

<?php

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("Error Selecting the DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "teachershome.html"
session_register("myusername");
session_register("mypassword");
header("location: teachershome.html");
}
else 
{
echo "Wrong Username or Password";
}

?>

One the teacher.html page where the users login I have the following;

<table width="300" border="0" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
      <tr>
<form name="form1" method="POST" action="login.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

As you can see, when they login successfully from the page teacher.html they are redirected to teachershome.html

Do I have to change teachergome.html to a php file so that I can add that script that you gave me?? And do I have to change the session part of my login script shown above...

Webmonkey

You are going to have to change teachershome.html to teachershome.php or else configure your webserver to intepret HTML extention files but this is not advisible.

Change teachershome.html to teachershome.php and set this on very top of teachershome.php, (not even a space or you will get headers sent errors and fail to be forwarded to login.

[php]
<?php
session_start();

if (!isset($_SESSION) || !isset($_SESSION)
{
/* Login not set so they never logged in */
header('location: login.php');
exit();
}

}
[/php]

The use of session_register is depreciated! Change to this in your login.php:

change
[php]
session_register("myusername");
session_register("mypassword");
[/php]

to

[php]
$_SESSION = $myusername;
$_SESSION = $mypassword;
[/php]


In in the teachershome.php you might like to say:

[php]
echo "Welcome ".$_SESSION."!";
[/php]
since you now can track the current user by the username variable.

Don't forget to change to
[php]
header("location: teachershome.php");
[/php]
as well.

and finally! you will need to start_session in the top of your login.php file as follows before you do anything with sessions as session_register() done this explicitly for you but the method is now removed from latest versions of PHP so don't use it!

[php]
session_start();
[/php]

Webmonkey

Also if you want to be really correct and make database look ups optimized, place a LIMIT 1 at the end.

[php]$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword' LIMIT 1";[/php]

evil-monkey

Ah lads. I was pulling my hair out wondering why it wouldn't work, when I realized I had not uploaded the updated files. Schoolboy error.

Anywhoo, this now works perfectly lads. Much appreciated elyod and webmonkey.

evil-monkey

Sorry, one final question. What do I have to add so that when the user enters there password into the password field to login, the password is asterisked? Currently it appears in plain text...

elyod

[php]
<input type='password' name='whatever_name' />
[/php]