Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Making a page secure

  • 29-04-2009 3:33pm
    #1
    Closed Accounts Posts: 1,663 ✭✭✭


    I have a page on a website that I want accessed by certain people only.

    To get to this page, you are redirected from a login page that contains a PHP login script tied to a database. When you login there you are redirected to the page. That all works fine.

    The thing is, the page that I want secured, is just a normal page that could be accessed by anyone who knows the URL. How can I have it so that the page can only be accessed when redirected to through the login page??

    Thanks in advance :D


Comments

  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    There are a number of ways. Cookies are one. Basically when the person successfully logs in, you set a cookie which says this. Then the other page checks to see if this cookie exists, and if it doesn't: Access Denied.

    That's a rudimentary way of doing it, but assuming you haven't got state secrets or personal data in your secure area, it should be good enough.


  • Registered Users, Registered Users 2 Posts: 2,164 ✭✭✭hobochris


    seamus wrote: »
    There are a number of ways. Cookies are one. Basically when the person successfully logs in, you set a cookie which says this. Then the other page checks to see if this cookie exists, and if it doesn't: Access Denied.

    That's a rudimentary way of doing it, but assuming you haven't got state secrets or personal data in your secure area, it should be good enough.
    +1

    I usually use a random number generator,I put the generated number into a cookie and a copy into the session, the cookie is checked against the session and reassigned at every page load.

    This prevents people using the URL if they know it or trying to manipulate the session.


  • Closed Accounts Posts: 1,663 ✭✭✭evil-monkey


    Ok. That makes sense. Thanks for the help.

    Anyone have an example of the code??


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    This should help:
    http://www.w3schools.com/PHP/php_cookies.asp

    Cookies can be a bit painful when you're first working with them, but they're dead simple really.


  • Closed Accounts Posts: 176 ✭✭elyod


    You should use a Session variable not a cookie.

    When a users details are validated you set a session variable, e.g.
    [php]
    session_start();
    //verify user details
    $_SESSION = $users_id;
    //redirect off to the secure page
    [/php]

    Create a file called auth.php. In this you check for the existence of the Session variable. If the variable does not exists you redirect them back to the log in page.

    [php]
    <?php
    session_start();

    if(!isset($_SESSION) || (trim(@$_SESSION)==''))
    {//if no SESSION var exists, redirect user to login and kill the script
    header("location: login.php");
    exit();
    }
    ?>
    [/php]

    On any page you want to have password protected, you simply add this to the top
    [php]
    <?php
    include_once('auth.php');
    ?>
    [/php]


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    I have a page on a website that I want accessed by certain people only.

    To get to this page, you are redirected from a login page that contains a PHP login script tied to a database. When you login there you are redirected to the page. That all works fine.

    The thing is, the page that I want secured, is just a normal page that could be accessed by anyone who knows the URL. How can I have it so that the page can only be accessed when redirected to through the login page??

    Thanks in advance :D
    Use sessions as Elyod suggested, they will look after the cookies for you indirectly.


  • Closed Accounts Posts: 1,663 ✭✭✭evil-monkey


    elyod wrote: »
    You should use a Session variable not a cookie.

    When a users details are validated you set a session variable, e.g.
    [php]
    session_start();
    //verify user details
    $_SESSION = $users_id;
    //redirect off to the secure page
    [/php]Create a file called auth.php. In this you check for the existence of the Session variable. If the variable does not exists you redirect them back to the log in page.

    [php]
    <?php
    session_start();

    if(!isset($_SESSION) || (trim(@$_SESSION)==''))
    {//if no SESSION var exists, redirect user to login and kill the script
    header("location: login.php");
    exit();
    }
    ?>
    [/php]On any page you want to have password protected, you simply add this to the top
    [php]
    <?php
    include_once('auth.php');
    ?>
    [/php]


    Ok, a few things (sorry now, I'm new to PHP).

    I have a login.php file was follows;
    <?php
    
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("Error Selecting the DB");
    
    // username and password sent from form
    $myusername=$_POST['myusername'];
    $mypassword=$_POST['mypassword'];
    
    // To protect MySQL injection
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
    $result=mysql_query($sql);
    
    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row
    
    if($count==1){
    // Register $myusername, $mypassword and redirect to file "teachershome.html"
    session_register("myusername");
    session_register("mypassword");
    header("location: teachershome.html");
    }
    else 
    {
    echo "Wrong Username or Password";
    }
    
    ?>
    

    One the teacher.html page where the users login I have the following;
    <table width="300" border="0" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
          <tr>
    <form name="form1" method="POST" action="login.php">
    <td>
    <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
    <tr>
    <td colspan="3"><strong>Member Login </strong></td>
    </tr>
    <tr>
    <td width="78">Username</td>
    <td width="6">:</td>
    <td width="294"><input name="myusername" type="text" id="myusername"></td>
    </tr>
    <tr>
    <td>Password</td>
    <td>:</td>
    <td><input name="mypassword" type="text" id="mypassword"></td>
    </tr>
    <tr>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td><input type="submit" name="Submit" value="Login"></td>
    </tr>
    </table>
    </td>
    </form>
    </tr>
    </table>
    

    As you can see, when they login successfully from the page teacher.html they are redirected to teachershome.html

    Do I have to change teachergome.html to a php file so that I can add that script that you gave me?? And do I have to change the session part of my login script shown above...


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    You are going to have to change teachershome.html to teachershome.php or else configure your webserver to intepret HTML extention files but this is not advisible.

    Change teachershome.html to teachershome.php and set this on very top of teachershome.php, (not even a space or you will get headers sent errors and fail to be forwarded to login.

    [php]
    <?php
    session_start();

    if (!isset($_SESSION) || !isset($_SESSION)
    {
    /* Login not set so they never logged in */
    header('location: login.php');
    exit();
    }

    }
    [/php]

    The use of session_register is depreciated! Change to this in your login.php:

    change
    [php]
    session_register("myusername");
    session_register("mypassword");
    [/php]

    to

    [php]
    $_SESSION = $myusername;
    $_SESSION = $mypassword;
    [/php]


    In in the teachershome.php you might like to say:

    [php]
    echo "Welcome ".$_SESSION."!";
    [/php]
    since you now can track the current user by the username variable.

    Don't forget to change to
    [php]
    header("location: teachershome.php");
    [/php]
    as well.

    and finally! you will need to start_session in the top of your login.php file as follows before you do anything with sessions as session_register() done this explicitly for you but the method is now removed from latest versions of PHP so don't use it!

    [php]
    session_start();
    [/php]


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    Also if you want to be really correct and make database look ups optimized, place a LIMIT 1 at the end.

    [php]$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword' LIMIT 1";[/php]


  • Closed Accounts Posts: 1,663 ✭✭✭evil-monkey


    Ah lads. I was pulling my hair out wondering why it wouldn't work, when I realized I had not uploaded the updated files. Schoolboy error.

    Anywhoo, this now works perfectly lads. Much appreciated elyod and webmonkey.


  • Advertisement
  • Closed Accounts Posts: 1,663 ✭✭✭evil-monkey


    Sorry, one final question. What do I have to add so that when the user enters there password into the password field to login, the password is asterisked? Currently it appears in plain text...


  • Closed Accounts Posts: 176 ✭✭elyod


    [php]
    <input type='password' name='whatever_name' />
    [/php]


Advertisement