PHP Session Login - help needed.

boycoda · 06-07-2008, 03:01 PM

Hello everyone,

Ok.. i've come to a little puzzle for myself. Back in the day this would have been easy *neck sinks into shoulders*.

Anyhow, here is my code for the login page.

PHP Code:


			
<?php

    session_start(); ## Allows sessions

    include("inc/conn.php"); ## Includes the connection file for the database

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">



<head>

        <title>Clientel - QualityXHTML.com - A service to remember!</title>

        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

        <link rel="stylesheet" type="text/css" href="style.css" />

        <!--[if lte IE 7]>

        <link rel="stylesheet" type="text/css" href="ie7.css" />

        <script defer type="text/javascript" src="pngfix.js"></script>

        <![endif]-->

        <!--[if lte IE 6]>

        <link rel="stylesheet" type="text/css" href="ie6.css" />

        <![endif]-->

</head>



<body>



        <div id="container">            

                

                <div id="content">

                

                        <div id="logo">

                        

                                <a href="http://clientel.qualityxhtml.com"><img src="img/logo.png" alt="Logotype" /></a>

                        

                        </div><!-- logo -->

                        

                        <div id="title">

                            

                                <h3>QualityXHTML Client Area</h3>

                            

                        </div><!-- title -->

                        

                        <div id="login">

                                <?php

                                

                                if(isset($_POST['submit'])) { ## If the submit button was pressed do the following

                                

                                    $usn = htmlspecialchars(addslashes($_POST['username'])); ## Submitted Username stored in a variable

                                    $psd = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST['password'])))))))); ## Submitted Password stored in a variable

                                    

                                    $slct = mysql_query("SELECT * FROM `clients` WHERE `user` = '$usn'") or die(mysql_error());

                                    $check = mysql_num_rows($slct);

                                    

                                    if($check == '0') {

                                    

                                        echo "<p>Please supply the correct Username and Password!</p>";

                                    

                                    } else {

                                    

                                    $udata = mysql_fetch_array($slct);

                                    

                                    if($udata[client] == 1) {

                                    

                                        $_SESSION['id'] = "$user[id]";

                                        $_SESSION['password'] = "$user[password]";

                                    

                                        echo "<p>Welcome, $udata[full_name]!</p>" . "<p>&nbsp;</p>" . "<p>You will be redirect in a moment...</p>";

                                        

                                        ## Now we must redirect the user

                                        echo "<meta http-equiv='Refresh' content='2; URL=panel.php'/>";

                                    

                                    } else {

                                    

                                    if($udata[admin] == 1) {

                                    

                                        $_SESSION['id'] = "$user[id]";

                                        $_SESSION['password'] = "$user[password]"; 

                                    

                                        echo "<p>Welcome back, $udata[full_name]!</p>" . "<p>&nbsp;</p>" . "<p>Please <a href='/admin/'>click here</a> to goto your admin area!</p>";

                                    

                                    }

                                    

                                    }

                                    

                                    }

                                

                                } else {

                                

                                ?>

                        

                                <p class="italic">This area is for new and existing clients only.</p>



                                <p>Please logon to your account below.</p>



                                <form id="login" name="client login" method="post" action="">

                                        <fieldset>

                                                

                                                <div id="form_top">

                                                

                                                <input type="text" name="username" class="form" value="Username" /><input type="submit" name="submit" value="" title="Login" id="submit" />

                                                

                                                </div><!-- form_top -->



                                                <div id="form_bottom">

                                            

                                                <input type="password" name="password" class="form" value="*********" /><a href="#" id="password">Forgot password?</a>

                                            

                                                </div><!-- form_bottom -->

                                            

                                        </fieldset>

                                </form>

                                

                                <?php

                                } ## Close the loop

                                ?>

                        </div><!-- login -->

                

                </div><!-- content -->



        </div><!-- container -->

    

</body>

</html>

Ok, so here we are, if you get the username and password right in the database, then it'll show a message then direct you to a page. Bare in mind this login page is working perfectly fine.

However, what I want to do is secure that panel.php, so if the registered session is not identical to the one in the database, then it should throw up a message. But if its all correct, then display the site.

Here is the code I have got for the panel.php...

PHP Code:


			
<?php

    session_start(); ## Allows sessions

    include("inc/conn.php"); ## Includes the connection file for the database

    

    ## Session Security

    $usn = $_SESSION['id'];

    

    $slct = mysql_query("SELECT * FROM `clients` WHERE `user` = '$usn'") or die(mysql_error());

    

    $udata = mysql_fetch_array($slct);

    

    if(!$usn) {

    

        echo "NO!!!!!";

    

    } else {

    

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">



<head>

        <title>Clientel</title>

        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

        <link rel="stylesheet" type="text/css" href="style.css" />

        <!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="ie6.css" /><![endif]-->

        <!--[if IE 7]><link rel="stylesheet" type="text/css" href="ie7.css" /><![endif]-->

        <script type="text/javascript" src="jquery-latest.pack.js"></script> 

        <script type="text/javascript" src="jquery.pngFix.js"></script> 

        <script type="text/javascript"> 

                $(document).ready(function(){ 

                    $(document).pngFix(); 

                }); 

        </script>

</head>



<body>



        <div id="container_2">            

                

                <div id="logo_2">

                

                    <a href="http://clientel.qualityxhtml.com"><img src="img/logo.png" alt="Logotype" /></a>

                        

                </div><!-- logo -->

                        

                <div id="wrapper">

                

                    <div id="top">

                    </div><!-- top -->

                    

                    <div id="wrap">

                    <div id="left_side">

                    </div><!-- left_side -->

                    

                    <div id="right_side">

                    </div><!-- right_side -->

                    </div>

                

                </div><!-- wrapper -->



        </div><!-- container_2 -->

    

</body>

</html>

<?php

} ## Close Session Security

?>

All help is highly appreciated.

Wildhoney · 06-07-2008, 03:07 PM

What doesn't work? I don't understand. If the ID is correct then the panel.php file will behave as expected.

boycoda · 06-07-2008, 03:24 PM

I want to make the panel.php secure. So if the username in the database is the same as the one registered in the session, then the panel should behave properly (show), but if the username in the database is not the same as the one in the session or if the user has no session at all (prevent hacking), then it should display a warning message (go away) or something.

All it is doing right now is echoing 'NO!!!!!', even if you log in.

delayedinsanity · 06-07-2008, 05:05 PM

Do you have their session ID stored in the database, or just a username? When they log in, you should be assigning your users a unique session ID which is added to their record in the database table as well as to a SESSION variable or cookie on the client side. You'd then compare those two values when a page was loaded to make sure their session was valid, sort of what it looks like you're trying to do, except for some reason you're not even doing anything with the result ($udata) of your query, so I'm not sure what purpose the query actually serves in that whole process.

PHP Code:


			
$szUsername = $_SESSION['username'];
$szSID      = $_SESSION['session_id'];

$q = sprintf("SELECT `session_id` FROM `clients` WHERE user = '%s'", mysql_real_escape_string($szUsername));
$pResult = mysql_query($q);

$aData = mysql_fetch_assoc($pResult);

if ($szSID !== (string)$aData['session_id']) die("You no touchie my personal pages!");

...is how I would go about checking the session ID.
-m

sketchMedia · 06-07-2008, 05:40 PM

PHP Code:


			
if($udata[client] == 1) { 
    $_SESSION['id'] = "$user[id]"; 
    $_SESSION['password'] = "$user[password]";
} ....

should that not be:

PHP Code:


			
if($udata['client'] == 1) {
    $_SESSION['id'] = $udata['id'];
    $_SESSION['password'] = $udata['pass'];
.....
}

also the query in the second code block seems to be pointless, you also forgot to put quotes round some of your associative array keys.

delayedinsanity · 06-07-2008, 06:05 PM

Wait a minute, I didn't take a close look at the first code block... you're storing the users password in a session variable? *smacks your hands* bad, bad boy. Noooooo.

And this!

PHP Code:


			
$psd = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST['password'])))))))); ## Submitted Password stored in a variable

*smacks your hands again*

Might I direct you to an article that I found really good?

Working with Dynamic Cryptography Salts
-m

boycoda · 06-08-2008, 12:40 AM

Thanks for the help everyone, i've just managed to get it working now. Couple of points mentioned here helped me fix it.