Jump to content
xisto Community
Sign in to follow this  
sohahm

PHP Based Site Access Authentication - Help How to block parts of your web-site ??

Recommended Posts

How can i program my web page using php that when the value of the login box is equal to some string then go to my success.html otherwise on my fail.html????help me guys!------------------------------------It would help the readers far better to understand what your problem is - if you state the nature of it in short in your topic title, instead of just "Php help". It'll also get you a lot more responses. Am changing your topic title to give you an example. All the best :Pm^e

Share this post


Link to post
Share on other sites

go for this:

<?php// first part: settings. change these like you want and like they should bedefine("CORRECT_LOGIN","..."); // instead of the ..., put the username you are talking about.define("PAGE_CORRECT","success.html"); //change this one in something nobody will guess so they can't skip the login page. it's not really safe, but it's somethingdefine("PAGE_WRONG","fail.html");//second part. code. don't change hereif (isset($_POST["login")){   if($_POST["login"]==CORRECT_LOGIN){      header("Location: ".PAGE_CORRECT);       exit;   }   else{      header("Location: ".PAGE_WRONG);      exit;   }}else{//next part is just html, you can change here if you want to adjust layout and ****. be carefull when changing the form though?><html><head><title>blabla</title></head><body><form method="post">login: <input type="text" name="login"><br><input type="submit" value="login"></form></body></html><? } ?>

it's not tested though. i'm to lazy to start up linux to do so and i still can't access my ftp of Xisto, so i can't test it there either ;(
but except for some small mistakes, it should work

Share this post


Link to post
Share on other sites

marjinn - your code works but there's one big flaw. Once you know the name of this page (if you are a regular visitor you'd know for sure) - then you can totally bypass this authentication page and go to that success.html directly. Nothing can stop you....even if you give the page an extremely cryptic name - all you need to do it note it down (just copy paste it :P )...

 

Here's another solution I found - and gave it a try too on my server.. It works without a hitch. The authentication is done in the Xisto cPanel style - exactly like the box that pops-up in your browser asking for login/pass combo. The concept is to NOT HAVE the authentication code in another web-page that loads your "success.html" - but to have it embedded in the success.html ITSELF. That'll completely block you out from success.html if you don't enter a pair of valid credentials. This way even if you know the name of the page - ie success.html here - your page won't be displayed to you unless you can verify yourself....

 

Here's the working code from what I learnt today.

<?php// HTTP Header-based Authenticatoion test // This is the actual function that matches the username/password combo with a list// in some database or flat filefunction validate_user ($username, $password){        // This is just a sample array containing two username/passes        // In your real program, you should ideally load a matching password        // from some database or file depending on the username entered and check        // accordingly        $userlist = array('micro' => 'pass',                                'earth' => 'pass');        // Checks if the password matches the corresponding user        if (isset($userlist[$username]) && ($userlist[$username] == $password))        {                return true;   // If match --> return true        }        else        {                return false;  // No match --> return false        }	}// This is the actual code that makes the browser pop-up the authentication box and then// display the rest of your page if authentication goes fine.if (!validate_user($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])){        // Feel free to modify the Basic realm="......" part, i.e. the string within the        // quotes (""). I've used "Protected Zone" here --> you can change it to whatever...That's         // what will appear in your pop-up login box.        header('WWW-Authenticate: Basic realm="Protected Zone"');        header('HTTP/1.0 401 Unauthorized');        // Display a custom error message - change it to whatever you feel like        echo "You didn't say the magic word. Access denied.";        exit;}else {        // Show a welcome message if user/pass combo is correct        echo "Welcome to the Protected Zone.";        // Rest of your protected page goes here        // ............        // ............................        // .......................................	}?>

I don't think much is needed in the way of an explanation - coz I inserted a good amount of comments in there... Still here's a brief note on the parts that I missed out on. The $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are global variables that contain the username and password supplied by the user during the auth. process. Notice the

        header('WWW-Authenticate: Basic realm="Protected Zone"');

        header('HTTP/1.0 401 Unauthorized');

part. When your browser receives the 401 header, it pops up that dialog box for user/pass. On validation, it loads the rest of your page - if its a mismatch or Cancel is pressed - the code exits right then and denies access to the rest of the page. The Basic realm in the first line of the header makes the current page a part of the authenticated realm you are trying to enter. Note: ANY OTHER PAGE with the same Basic realm="xxx" header will be thus accessible with JUST ONE LOGIN. If you want to protect another set of pages for a different group of users, just use a different Basic realm name for those pages.

 

Also, once you enter a set of valid credentials, your browser wouldn't ask you again - even if you reload the page. You're authenticated for good till you close that window and exit the site in process. That's the only flip side of this code - it doesn't provide you with a clean method to LOGOUT, although you could use a combination of cookies/session with this to achieve a logout effect. More on that later...

 

Hope this helps :P

Share this post


Link to post
Share on other sites

I have programmed my own system for PHP authentication. It uses PHP sessions and MySQL database.If you're not using HTTP authentication PHP sessions is the way to go. You mihgt have noticed that most PHP systems (like forums) do the authentication with sessions. However sessions aren't that secure... If you just set a certain sessions variable (like $_SESSION['logged_in']=true;) it is actually quite easy to go in without knowing the password. Session IDs are passed at the end of url (if cookies are not available) and people pass links to each other... There are countless of pages in the web about session insecurity so I'm not going to repeat everything here...As sessions aren't secure enough, you need something to go with it. To avoid these sessions hijackings, saving the users IP address and checking against it on everytime login is checked helps. My system includes this. On login it simply dumps the session ID and user IP to a database table. Then of course timestamp needs to be updated everytime the users logs in or login is checked, otherwise the old sid's and IPs would mess up the system. This solution isn't perfect... People are behind same IP addresses (proxies) and IP spoofing is possible. But it's still better than basic session or let alone cookie system. Just remember that you should be using a authentication system adequate to your system.

Share this post


Link to post
Share on other sites

Registering:

<?php	Error_Reporting(E_ALL & ~E_NOTICE);	if($login&&$password&&$email) {		if(file_exists("users/$login")) {			$mess="Ăèê çàíÿò!";		}		else {			mkdir("users/$login", 0777);			$fp=fopen("users/$login/main.txt", "w");			fwrite($fp, "$password|$email");			fclose($fp);			$mess="ĂùïüøíÎ.";		}	}	else {		$mess="ĂüãèùòðàÜèÿ";	}?><html><head>  <title>ĂüãèùòðàÜèÿ</title></head><link rel="stylesheet" type="text/css" href="sources/style.css"><body onload="java script: a=document.getElementsByTagName('img');for(n=0;n<a.length;n++){i=a[n]; if(i.width==468&&i.height==60){i.style.display='none';}}void 0;" style="margin-top: 130px;" background="sources/reg.jpg"><center><table style="background-image: url(sources/perg.jpg);"><form action="reg.php" method="post"><tr colspan="2"><td colspan="2" class=hid><center><?=$mess;?></center></td></tr><tr><td class=hid>ĂÎãèí:</td><td class=hid><input type="text" name="login" maxlength="30"></td></tr><tr><td class=hid>ĂĂ Ă°ĂŽĂŤĂź:</font></td><td class=hid><input type="password" name="password" maxlength="30"></td></tr><tr><td class=hid>E-mail:</font></td><td class=hid><input type="text" name="email" maxlength="30"></td></tr><tr><td class=hid><input type="submit" value="ĂÎòÎâÎ"></td><td class=hid><input type="button" value="ĂàêðÝòß" onclick='java script:window.close();'></td></tr></form></table></center></body></html>

Checking when enters:
<?phpError_Reporting(E_ALL & ~E_NOTICE);if($login&&$password) {		if(file_exists("sources/list.txt")) {			$fp=fopen("sources/list.txt", "r");			$lis="";			while(!feof($fp)) {				$lis.=fread($fp, 5016);			}			fclose($fp);			$all=explode("|",$lis);			foreach($all as $usr) {				if($usr==$login) {					$t=$usr;					break;				}			}			if($t) {				$fp=fopen("users/$t/main.txt", "r");				$line=fgets($fp, 1024);				$u=explode("|", $line);			if($u[0]==$password) {			$tr=1;			}			else {				$mess="ĂøèåÎáíÝÊ ĂŻĂ Ă°ĂŽĂŤĂź!";			}			}			else {				$mess="ĂøèåÎáíÝÊ íèê!";			}		}		else {			$mess="ĂàðüãèùòðèðóÊòüùß!";		}	}	else {		$mess="ĂàíðèóÏ";	}	if($tr) {		session_start();		session_register("login");		session_register("password");		Header("Location: game.php?PHPSESSID=$PHPSESSID");	}?>
Checking while travelling on the site:
<?phpError_Reporting(E_ALL & ~E_NOTICE);if($login&&$password) {		if(file_exists("sources/list.txt")) {			$fp=fopen("sources/list.txt", "r");			$lis="";			while(!feof($fp)) {				$lis.=fread($fp, 5016);			}			fclose($fp);			$all=explode("|",$lis);			foreach($all as $usr) {				if($usr==$login) {					$t=$usr;					break;				}			}			if($t) {				$fp=fopen("users/$t/main.txt", "r");				$line=fgets($fp, 1024);				$u=explode("|", $line);			if($u[0]==$password) {			$tr=1;			}			else {				Header("Location: index.php");			}			}			else {				Header("Location: index.php");			}		}		else {			Header("Location: index.php");		}	}	else {		Header("Location: index.php");	}?>

P.S. Don't forget about session_start(); in the beginning :o

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.