User Auth

[yotsa]

I developed backend application with MySql database with usernames and passwords. You can enter, modify or delete users. That's working fine with cookies but only on login page where I check validation of users. I need the way to avoid direct access to the another pages which are in the members area. If the username and password are valid the access is granted. I have to check cookies set or session on the begining on every page in members section, right? How?

[Jay]

Easiest way is to develop a small script to check the password, and 'include' it at the beginning of every page. Regardless what page is accessed, the script will be run and should only do something if there's a problem. If you're using Apache you can also use it to invoke a password feature, an example and explanation is here

[yotsa]

Yes, I use Apache but I want to avoid WWW-Authenticate Header form. I use cookie and check it on every page, but if the intruder get the contents of the cookie he can parse cookie variable through the URL and get the page. If I use combination of cookie and session variable then I make a mess. I have problem with open session and cookie. Can you give me another link or advice or script?

[Jay]

Use the Super Global Arrays to prevent him using the cookie value in the url. On the first access, (when the session is started) validate the cookie with your online database or something, so the session is validated. Then you don't need the cookie!

[DoppyNL]

For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

[yotsa]

Yes dvdbinternet, that's it! I try to do session register with cookie but now I will try with username and password. I still have problem, I do not now why. Can you send me piece of programm code of registering and cheching the session?
Thank you.

[DoppyNL]

first make a "normal" page with a form to get username and password (use type=password for password field).
when form is posted:

Code: Select all

if (verify_logon($_POST['username'], $_POST['password']);
{
   $username = $_POST['username'];
   $password = $_POST['password'];
    session_register($username, $password);
    print('login succesfull');
}
else
{
   print('Login failed');
}


now you can acces the username and password on each following page.
remember to use $_SESSION['username'] and $_SESSION['password'] and you have to use session_start()
also keep in mind that those variables are not set initially (before login).

this is a semi-copy from my code, verify_login checks if username and password are correct and returns a boolean.

I think you can fill in the rest of the gaps.

Greetz Daan

[Jay]

For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

You realise that's more or less exactly what I said :wink:

[DoppyNL]

You realise that's more or less exactly what I said :wink:

yep :lol:

[yotsa]

It works now with session, thanks.

[tranquillo]

Hey guys.

I'm new to this login and security stuff, but I want to learn..
this all looks verry interesting. could someone help me out with a sample code for the session thing?
do I need to store anything else in the database than password and username?

thanks

[tranquillo]

hehe...
so I guess there's not a lot of action here...

[Redcircle]

here's a good tutorial that might help

http://www.devshed.com/Server_Side/PHP/ ... page1.html

[tranquillo]

thanks alot for that.. I think I'm on my way now.. ;)

I'm trying to do something like the one in that link you gave me but I'm having trouble with links...

in the code on that page there's a logout funktion. it's just a link to a logout php page but the link don't work...
the link is <a href="/index.php>Goodbye</a> but the browser tries to get http://localhost/public/admin/inner.san ... /index.php

why does it automaticly add the current page adress in front of the link adress?

[Redcircle]

you do not have an ending " after /index.php

[tranquillo]

sorry.. that was just a typo here. I have a closing " in the code..

[Redcircle]

try using the FULL url

[tranquillo]

tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

[WiZARD]

tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

destroy

[DyoWeL]

is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

[WiZARD]

is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

You mean that you want protect youre site?