TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   PHP Session Login - help needed. (http://www.talkphp.com/general/2921-php-session-login-help-needed.html)

boycoda 06-07-2008 03:01 PM
PHP Session Login - help needed.
 
Hello everyone,

Ok.. i've come to a little puzzle for myself. Back in the day this would have been easy *neck sinks into shoulders*.

Anyhow, here is my code for the login page.

PHP Code:
<?php
    session_start(); ## Allows sessions
    include("inc/conn.php"); ## Includes the connection file for the database
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">

<head>
        <title>Clientel - QualityXHTML.com - A service to remember!</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <link rel="stylesheet" type="text/css" href="style.css" />
        <!--[if lte IE 7]>
        <link rel="stylesheet" type="text/css" href="ie7.css" />
        <script defer type="text/javascript" src="pngfix.js"></script>
        <![endif]-->
        <!--[if lte IE 6]>
        <link rel="stylesheet" type="text/css" href="ie6.css" />
        <![endif]-->
</head>

<body>

        <div id="container">            
                
                <div id="content">
                
                        <div id="logo">
                        
                                <a href="http://clientel.qualityxhtml.com"><img src="img/logo.png" alt="Logotype" /></a>
                        
                        </div><!-- logo -->
                        
                        <div id="title">
                            
                                <h3>QualityXHTML Client Area</h3>
                            
                        </div><!-- title -->
                        
                        <div id="login">
                                <?php
                                
                                if(isset($_POST['submit'])) { ## If the submit button was pressed do the following
                                
                                    $usn htmlspecialchars(addslashes($_POST['username'])); ## Submitted Username stored in a variable
                                    $psd sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST['password'])))))))); ## Submitted Password stored in a variable
                                    
                                    $slct mysql_query("SELECT * FROM `clients` WHERE `user` = '$usn'") or die(mysql_error());
                                    $check mysql_num_rows($slct);
                                    
                                    if($check == '0') {
                                    
                                        echo "<p>Please supply the correct Username and Password!</p>";
                                    
                                    } else {
                                    
                                    $udata mysql_fetch_array($slct);
                                    
                                    if($udata[client] == 1) {
                                    
                                        $_SESSION['id'] = "$user[id]";
                                        $_SESSION['password'] = "$user[password]";
                                    
                                        echo "<p>Welcome, $udata[full_name]!</p>" "<p>&nbsp;</p>" "<p>You will be redirect in a moment...</p>";
                                        
                                        ## Now we must redirect the user
                                        echo "<meta http-equiv='Refresh' content='2; URL=panel.php'/>";
                                    
                                    } else {
                                    
                                    if($udata[admin] == 1) {
                                    
                                        $_SESSION['id'] = "$user[id]";
                                        $_SESSION['password'] = "$user[password]"
                                    
                                        echo "<p>Welcome back, $udata[full_name]!</p>" "<p>&nbsp;</p>" "<p>Please <a href='/admin/'>click here</a> to goto your admin area!</p>";
                                    
                                    }
                                    
                                    }
                                    
                                    }
                                
                                } else {
                                
                                ?>
                        
                                <p class="italic">This area is for new and existing clients only.</p>

                                <p>Please logon to your account below.</p>

                                <form id="login" name="client login" method="post" action="">
                                        <fieldset>
                                                
                                                <div id="form_top">
                                                
                                                <input type="text" name="username" class="form" value="Username" /><input type="submit" name="submit" value="" title="Login" id="submit" />
                                                
                                                </div><!-- form_top -->

                                                <div id="form_bottom">
                                            
                                                <input type="password" name="password" class="form" value="*********" /><a href="#" id="password">Forgot password?</a>
                                            
                                                </div><!-- form_bottom -->
                                            
                                        </fieldset>
                                </form>
                                
                                <?php
                                ## Close the loop
                                ?>
                        </div><!-- login -->
                
                </div><!-- content -->

        </div><!-- container -->
    
</body>
</html>
Ok, so here we are, if you get the username and password right in the database, then it'll show a message then direct you to a page. Bare in mind this login page is working perfectly fine.

However, what I want to do is secure that panel.php, so if the registered session is not identical to the one in the database, then it should throw up a message. But if its all correct, then display the site.

Here is the code I have got for the panel.php...

PHP Code:
<?php
    session_start(); ## Allows sessions
    include("inc/conn.php"); ## Includes the connection file for the database
    
    ## Session Security
    $usn $_SESSION['id'];
    
    $slct mysql_query("SELECT * FROM `clients` WHERE `user` = '$usn'") or die(mysql_error());
    
    $udata mysql_fetch_array($slct);
    
    if(!$usn) {
    
        echo "NO!!!!!";
    
    } else {
    
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">

<head>
        <title>Clientel</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <link rel="stylesheet" type="text/css" href="style.css" />
        <!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="ie6.css" /><![endif]-->
        <!--[if IE 7]><link rel="stylesheet" type="text/css" href="ie7.css" /><![endif]-->
        <script type="text/javascript" src="jquery-latest.pack.js"></script> 
        <script type="text/javascript" src="jquery.pngFix.js"></script> 
        <script type="text/javascript"> 
                $(document).ready(function(){ 
                    $(document).pngFix(); 
                }); 
        </script>
</head>

<body>

        <div id="container_2">            
                
                <div id="logo_2">
                
                    <a href="http://clientel.qualityxhtml.com"><img src="img/logo.png" alt="Logotype" /></a>
                        
                </div><!-- logo -->
                        
                <div id="wrapper">
                
                    <div id="top">
                    </div><!-- top -->
                    
                    <div id="wrap">
                    <div id="left_side">
                    </div><!-- left_side -->
                    
                    <div id="right_side">
                    </div><!-- right_side -->
                    </div>
                
                </div><!-- wrapper -->

        </div><!-- container_2 -->
    
</body>
</html>
<?php
## Close Session Security
?>
All help is highly appreciated.

Wildhoney 06-07-2008 03:07 PM
What doesn't work? I don't understand. If the ID is correct then the panel.php file will behave as expected.

boycoda 06-07-2008 03:24 PM
I want to make the panel.php secure. So if the username in the database is the same as the one registered in the session, then the panel should behave properly (show), but if the username in the database is not the same as the one in the session or if the user has no session at all (prevent hacking), then it should display a warning message (go away) or something.

All it is doing right now is echoing 'NO!!!!!', even if you log in.

delayedinsanity 06-07-2008 05:05 PM
Do you have their session ID stored in the database, or just a username? When they log in, you should be assigning your users a unique session ID which is added to their record in the database table as well as to a SESSION variable or cookie on the client side. You'd then compare those two values when a page was loaded to make sure their session was valid, sort of what it looks like you're trying to do, except for some reason you're not even doing anything with the result ($udata) of your query, so I'm not sure what purpose the query actually serves in that whole process.

PHP Code:
$szUsername $_SESSION['username'];
$szSID      $_SESSION['session_id'];

$q sprintf("SELECT `session_id` FROM `clients` WHERE user = '%s'"mysql_real_escape_string($szUsername));
$pResult mysql_query($q);

$aData mysql_fetch_assoc($pResult);

if ($szSID !== (string)$aData['session_id']) die("You no touchie my personal pages!"); 
...is how I would go about checking the session ID.
-m

sketchMedia 06-07-2008 05:40 PM
PHP Code:
if($udata[client] == 1) { 
    $_SESSION['id'] = "$user[id]"
    $_SESSION['password'] = "$user[password]";
} .... 
should that not be:
PHP Code:
if($udata['client'] == 1) {
    $_SESSION['id'] = $udata['id'];
    $_SESSION['password'] = $udata['pass'];
.....
also the query in the second code block seems to be pointless, you also forgot to put quotes round some of your associative array keys.

delayedinsanity 06-07-2008 06:05 PM
Wait a minute, I didn't take a close look at the first code block... you're storing the users password in a session variable? *smacks your hands* bad, bad boy. Noooooo.

And this!

PHP Code:
$psd sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST['password'])))))))); ## Submitted Password stored in a variable 
*smacks your hands again*

Might I direct you to an article that I found really good?

http://www.talkphp.com/tips-tricks/1...phy-salts.html
-m

boycoda 06-08-2008 12:40 AM
Thanks for the help everyone, i've just managed to get it working now. Couple of points mentioned here helped me fix it.


All times are GMT. The time now is 06:44 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0