It looks like you edited your post as I was responding here. I'll have to take a look at your use of MD5 again. Remember, the idea is to store an MD5 hashed value of the password, and then check that against an MD5 hashed value of the password input during login. So if your `user_pass` field is storing something like:
74add9df670c36b147c19dd93a27d8d0, your login script has to pass the same hash value to the query to match it.
Have you checked your `users` table manually to actually see what's being stored there? Gotta do it when troubleshooting a script that interacts with the database!
Quote:
Originally Posted by StevenF
I had a problem when trying to load a new page if the password is correct, still now sure how to do that correctly. I was using the header function, but it kept loading the page specified in the header function instead of the index page.
|
pseudocode example:
PHP Code:
if ( result == 1 ) {
// one match found, redirect to the index
// implement session data / `logins` table data storage
// redirect
header('Location: http://www.yoursite.com/index.php');
exit();
} else {
// either no match (or more than one, let's hope not)
// wipe out any potential session data
$_SESSION= array();
// redirect to error page or login page again
header('Location: http://www.yoursite.com/login.php');
exit();
}
Quote:
Originally Posted by StevenF
Would I have to create a piece of code on every page the user visits, checking if they are logged in or not? Otherwise they could visit the page if they knew the URL, without logging in.
|
Yes. Something like (more pseudocode example)
PHP Code:
<?php
// top of script
// start session, naturally
session_start();
// db defaults, read connection settings, connect, etc
// check session data
if ( !isset($_SESSION['userID'])
&& !isset($_SESSION['login_token']) ) {
// no proper session data set
// automatically unset session data & redirect
$_SESSION= array();
header('Location: http://www.yoursite.com/login.php');
exit();
} else {
// potentially viable session login data
// run SQL query against the `logins` table, matching:
// `userID` | `login_token` | `session_id`
if ( !login_verify ) {
// no login data match
// unset session data, redirect
$_SESSION= array();
header('Location: http://www.yoursite.com/login.php');
exit();
}
// anything else is assumed to be properly logged in
// begin "relogin process"
session_regenerate_id();
$sessID= session_id();
// update `logins` table data
$updateLogin= "
REPLACE INTO logins
(userID,login_token,session_id,login_dt)
VALUES
(
{$_SESSION['userID']},'{$_SESSION['login_token']}'
,'{$sessID}', NOW()
)
";
@mysql_query($updateLogin);
}
// continue with the script
That's the basic gist. Check for session login data values, redirect if they don't exist. Next, check for the valid login data against the `logins` table. Note you might set the login_dt (date-time) value in the session as well and check for session / login expiry times, etc. Store all that in a function and make it easy on yourself on every script that needs a login check.