PHP: How Can I Create An Authentication System?

I'm making a financial site based on PHP/MySQL, there are two sections in that site, first one which is a free section have news, stocks calculator and chat.

second section which is paid section has the same fetures plus a portfolio manager for each member, financial analysis also it has a game which is available to members only too.

The Problem i face at the moment is i need to code a php/mysql authentication system so only paid members can access the pages which is in the second section, i tried to code it but never succeded, any help is so welcomed

There are many ways that you can control access to your site

 

HTACCESS

With HTACCESS Authentication you can protect your directories on Apache Web servers. Your server will displays a login window like Cpanel login window.

Open notepad and paste below code

AuthUserFile /home/users/analyze/.httppass

AuthName "users Only! : Enter Username and Password"

AuthType Basic

require valid-user

And save as .htaccess in your target directory, ok, Let's descript parameters :

>>>>> AuthUserFile /home/users/analyze/.httppass : is the server path to the password file, you should change the path to your server path.

>>>>> AuthName "Users Only! : Enter Username and Password" : is the title of login window

Now you should create .httppass file; enter the usernames and passwords (first username and then password) in notepad and save as .httppass in location that you specified in above code

.httppass file should be like below

linda:dgr85dfd

The first word is the username, the garbled code after ":" is password

 

Session

With Session visitors accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

For more information and manual go to PHP official site

http://ir.php.net/manual/en/features.sessions.php

 

if you don't know about php, you can use Macromedia Dreamweaver, it have php application that can creates Authentication system for you

.htaccess is a quite safe bet to do, alhough it's not very "hip" with the standard browser password dialogue and so on.PHP sessions works fine but are not very safe unless you know what you do. Using just basic session is a very poor system and I'd recommend adding database storing and checing as well. A good thing to store to that database is the users IP address. This makes session stealing a bit harder thing to do. You might also wish to add a cookie (in addition to the session id) for more depth in the security. Then one important thing to remember is reasonable session lengths. The shorter the sessions, the safer your system is. Then again requiring re-logging in constantly isn't very nice for your users.

Actually, usin' .htaccess is not as useful as workin' with sessions.

 

Let me shortly tell what to do.

 

First of all, you will need to choose whether you're working with MySQL while dealing with authentication sys. or usin' usual .txt files.

Keep in the chosen one the data you want.

Insert the application form to login and then check if

1)User with such login is in the database

2)Password matches

 

Then create a var is_user and give it value 1 only if there is such a user. (I'm not reminding you about username,balance, etc. that should be also read.).

session_register(); all these vars.

After that, in the beginning of each page insert session_start();

And all these links would be only seen if(is_user==1).

For pages seen only by users, again put in the beginning session_start(); and if(is_user!=1) just header("Location: index.php");.

 

As for flash files, by .htaccess file allow them only from 127.0.0.1 and acces them by using PHP.

 

I think, it's enough and you may complete it yourself.

CrazyPensil explained there how sessions work and how you do authentication with sessions, in the very basic level. I've been writing about this in the forums countless times but it always seems worth to repeat: simply setting a session variable that indicates that the user has been authenticated is a very low security authentication system and I would use it only for loading page settings or something... It doesn't matter how well you do the actual authentication (the checking of username and password), the simple session variable isn't just secure as sessions can be stolen easily. And in fact often just by an accident. The session variable can be used as an idicator that more checking for the user needs to be done, meaning that if the variable is not set the server wouldn't even bother further checking. Further checking could include checking the users IP address for the one stored in a database when the user logged in, checking if a random value stored in a cookie and in the database match (you could create a new pair everytime the login is verified) and so on. And one more thing... Never store actual passwords in the database, always use hashes.

Then create a var is_user and give it value 1 only if there is such a user. (I'm not reminding you about username,balance, etc. that should be also read.).

session_register(); all these vars.

After that, in the beginning of each page insert session_start();

And all these links would be only seen if(is_user==1).

For pages seen only by users, again put in the beginning session_start(); and if(is_user!=1) just header("Location: index.php");.

 

As for flash files, by .htaccess file allow them only from 127.0.0.1 and acces them by using PHP.

 

I think, it's enough and you may complete it yourself.

 

It's so helpful for the idea, i need more details about the code, how can i contact anyone of you if i need to know this?, i hope i can find anyone who can help me with the code, i'm into using mysql in data storing, the site should be on after less than 15 days "by 1st. April", it will be a portfolio manager for shares, i'm a beginner at php, still working on learning it, but i need to finish the site quickly

As I have already shown, a full version which doesn't keep the state of user(on/off) in a variable and checks ev'rything each time he loads de page.

Registering:

<?php	Error_Reporting(E_ALL & ~E_NOTICE);	if($login&&$password&&$email) {		if(file_exists("users/$login")) {			$mess="Ăèê çàíÿò!";		}		else {			mkdir("users/$login", 0777);			$fp=fopen("users/$login/main.txt", "w");			fwrite($fp, "$password|$email");			fclose($fp);			$mess="ĂùïüøíÎ.";		}	}	else {		$mess="ĂüãèùòðàÜèÿ";	}?><html><head>  <title>ĂüãèùòðàÜèÿ</title></head><link rel="stylesheet" type="text/css" href="sources/style.css"><body onload="java script: a=document.getElementsByTagName('img');for(n=0;n<a.length;n++){i=a[n]; if(i.width==468&&i.height==60){i.style.display='none';}}void 0;" style="margin-top: 130px;" background="sources/reg.jpg"><center><table style="background-image: url(sources/perg.jpg);"><form action="reg.php" method="post"><tr colspan="2"><td colspan="2" class=hid><center><?=$mess;?></center></td></tr><tr><td class=hid>ĂÎãèí:</td><td class=hid><input type="text" name="login" maxlength="30"></td></tr><tr><td class=hid>ĂĂ Ă°ĂŽĂŤĂź:</font></td><td class=hid><input type="password" name="password" maxlength="30"></td></tr><tr><td class=hid>E-mail:</font></td><td class=hid><input type="text" name="email" maxlength="30"></td></tr><tr><td class=hid><input type="submit" value="ĂÎòÎâÎ"></td><td class=hid><input type="button" value="ĂàêðÝòß" onclick='java script:window.close();'></td></tr></form></table></center></body></html>

Checking when enters:

<?phpError_Reporting(E_ALL & ~E_NOTICE);if($login&&$password) {		if(file_exists("sources/list.txt")) {			$fp=fopen("sources/list.txt", "r");			$lis="";			while(!feof($fp)) {				$lis.=fread($fp, 5016);			}			fclose($fp);			$all=explode("|",$lis);			foreach($all as $usr) {				if($usr==$login) {					$t=$usr;					break;				}			}			if($t) {				$fp=fopen("users/$t/main.txt", "r");				$line=fgets($fp, 1024);				$u=explode("|", $line);			if($u[0]==$password) {			$tr=1;			}			else {				$mess="ĂøèåÎáíÝÊ ĂŻĂ Ă°ĂŽĂŤĂź!";			}			}			else {				$mess="ĂøèåÎáíÝÊ íèê!";			}		}		else {			$mess="ĂàðüãèùòðèðóÊòüùß!";		}	}	else {		$mess="ĂàíðèóÏ";	}	if($tr) {		session_start();		session_register("login");		session_register("password");		Header("Location: game.php?PHPSESSID=$PHPSESSID");	}?>

Checking while travelling on the site:

<?phpError_Reporting(E_ALL & ~E_NOTICE);if($login&&$password) {		if(file_exists("sources/list.txt")) {			$fp=fopen("sources/list.txt", "r");			$lis="";			while(!feof($fp)) {				$lis.=fread($fp, 5016);			}			fclose($fp);			$all=explode("|",$lis);			foreach($all as $usr) {				if($usr==$login) {					$t=$usr;					break;				}			}			if($t) {				$fp=fopen("users/$t/main.txt", "r");				$line=fgets($fp, 1024);				$u=explode("|", $line);			if($u[0]==$password) {			$tr=1;			}			else {				Header("Location: index.php");			}			}			else {				Header("Location: index.php");			}		}		else {			Header("Location: index.php");		}	}	else {		Header("Location: index.php");	}?>

P.S. Don't forget about session_start(); in the beginning

P.S. Don't forget about session_start(); in the beginning

 

This is a very useful tutorial, just i need to know, how can we store users information in a mysql database instead of text files.

another question, where to put session_start(), in the beginning of which section?

Session_start(); should be on the top of each section(after Error_reporting():oAs for makin' it with MySql, I'm not god at it, so, unluckily, I cant't help you with this one so fast. In 5 day time I will most probably make the same one(or better) using mySql, of course, if noone else isn't faster than mne