Require login to access a website.

[bmcgonag]

How would I go about requiring a login in order to access any page but the home page or open section on my website? I hate to say this...but kind of like the adult web sites that have the home page (warning) page, and maybe "tour" pages, but require a login to gain access to main material?

Thanks,

Brian

 

[SC68Cal]

The way that I'm familiar with is having a database full of users, and create a login page. As long as they have a correct login, they can run the application, otherwise all they see is a blank page, if they try and access the URL.

 

[bmcgonag]

The way that I'm familiar with is having a database full of users, and create a login page. As long as they have a correct login, they can run the application, otherwise all they see is a blank page, if they try and access the URL.

I comprehend what you are telling me here, but is there any sample code, or a software set that will help me do this?

Thanks,

Brian

 

[SC68Cal]

Your best bet is a book like PHP & MySQL For Dynamic Websites, by Peachpit Press if you don't know any of the PHP and MySQL and you're starting from scratch.

 

[bmcgonag]

Your best bet is a book like PHP & MySQL For Dynamic Websites, by Peachpit Press if you don't know any of the PHP and MySQL and you're starting from scratch.

I now some PHP and MySQL, but I'm just not sure how to force a site to go to the homepage, even if someone tries to direct link to a different page.

I'm sure that's somewhere in the PHP, so I'll check it out. Thanks.

Brian

 

[werther]

The answers to your questions are all in the book that SC68Cal suggested. I bought that book about a year ago and it has proven to be a very valuable resource. The author (Larry Ullman) recently came out with a new book (PHP 5 Advanced) which I have yet to buy but definitely intend to.

 

[jng]

How would I go about requiring a login in order to access any page but the home page or open section on my website? I hate to say this...but kind of like the adult web sites that have the home page (warning) page, and maybe "tour" pages, but require a login to gain access to main material?

Thanks,

Brian

If you want them to share a username/password, you can just use an htaccess and an htpasswd file. Secure and no real coding involved. Google the two terms for more simpler tutorials than the docs I've linked to.

 

[djbahdow01]

How would I go about requiring a login in order to access any page but the home page or open section on my website? I hate to say this...but kind of like the adult web sites that have the home page (warning) page, and maybe "tour" pages, but require a login to gain access to main material?

Thanks,

Brian

You could always password protect a directory. Its what I do for folders on my server that I don't need anyone getting into. You can even do it for the main directory where the index.html file is located.

Then again it all depends on the features that your hosting company has given you. I am running cpanel for my control panel and it offers a lot of great things.

 

[CoreWeb]

I now some PHP and MySQL, but I'm just not sure how to force a site to go to the homepage, even if someone tries to direct link to a different page.

I'm sure that's somewhere in the PHP, so I'll check it out. Thanks.

Brian

The gist of it is that you have one file, say "authentication.php", which checks to make sure the user is logged in, and if they aren't, redirects to the login page. Then, in every page which requires authentication, you would include this authentication script.

Here is a (very) simple example:

All files requiring authentication
<?php
include "authentication.php";
/* Other content here */
?>

Authentication.php:
<?php
/* Check if user is authenticated */
session_start();
if ($_SESSION["logged-in"]){
    /* The user is logged in */
}else{
    /* The user is not logged in */
    header("location:/login.php");
    /* Now kill PHP to prevent further processing */
    die();
}
?>

The above is extremely simplified, and is just meant to give you an idea of what needs to be done. More things should, theoretically, be added to make it more secure.

The actual login process is more complicated, but there are tons of tutorials online on how to do this. I'd recommend, however, that you use several security measures, including some of the ones in the following example:

/* Storing a password */
function set_password($user_id, $password){
    mysql_query("UPDATE USERS SET PASSWORD = '" . mysql_real_escape_string(md5($password))
    . "' WHERE USER_ID = " . intval($user_id));
}

function login ($user_name, $password){
    $users = mysql_query("SELECT * FROM USERS WHERE " .
        "USER_NAME = '" . mysql_real_escape_string($user_name) . "'" .
        " AND PASSWORD = '" . mysql_real_escape_string(md5($password))
    );
    if (mysql_num_rows($users) > 0){
        /* Login was a success! */
    }else{
        /* Invalid login! */
    }
}

1. The password is encrypted in one-way encryption. See PHP's md5 documentation
2. Input strings are escaped using mysql_real_escape_string to prevent SQL injection (for example, an attacker using "' OR TRUE" as a user name causing login to always be successful
3. Using intval() to ensure that the value for user_id is a number, and not other text.

Keep these security concerns in mind.

 

[bmcgonag]

Great Info! I have actually had to do similar things in Perl a long time ago, but good to be refreshed on it.

thanks,

Brian

The gist of it is that you have one file, say "authentication.php", which checks to make sure the user is logged in, and if they aren't, redirects to the login page. Then, in every page which requires authentication, you would include this authentication script.

Here is a (very) simple example:

All files requiring authentication
<?php
include "authentication.php";
/* Other content here */
?>

Authentication.php:
<?php
/* Check if user is authenticated */
session_start();
if ($_SESSION["logged-in"]){
    /* The user is logged in */
}else{
    /* The user is not logged in */
    header("location:/login.php");
    /* Now kill PHP to prevent further processing */
    die();
}
?>

The above is extremely simplified, and is just meant to give you an idea of what needs to be done. More things should, theoretically, be added to make it more secure.

The actual login process is more complicated, but there are tons of tutorials online on how to do this. I'd recommend, however, that you use several security measures, including some of the ones in the following example:

/* Storing a password */
function set_password($user_id, $password){
    mysql_query("UPDATE USERS SET PASSWORD = '" . mysql_real_escape_string(md5($password))
    . "' WHERE USER_ID = " . intval($user_id));
}

function login ($user_name, $password){
    $users = mysql_query("SELECT * FROM USERS WHERE " .
        "USER_NAME = '" . mysql_real_escape_string($user_name) . "'" .
        " AND PASSWORD = '" . mysql_real_escape_string(md5($password))
    );
    if (mysql_num_rows($users) > 0){
        /* Login was a success! */
    }else{
        /* Invalid login! */
    }
}

1. The password is encrypted in one-way encryption. See PHP's md5 documentation
2. Input strings are escaped using mysql_real_escape_string to prevent SQL injection (for example, an attacker using "' OR TRUE" as a user name causing login to always be successful
3. Using intval() to ensure that the value for user_id is a number, and not other text.

Keep these security concerns in mind.

 

[SC68Cal]

The gist of it is that you have one file, say "authentication.php", which checks to make sure the user is logged in, and if they aren't, redirects to the login page. Then, in every page which requires authentication, you would include this authentication script.
Keep these security concerns in mind.

Great bit of code Core, thanks for laying out in code what I was only motivated enough to explain .

My one suggestion:

Use the bottom example that uses a SQL database, because having just a $_SESSION variable named "logged_in" being set isn't as secure as I'd like, since it seems you're just seeing if it actually exists in the SESSION array. A more secure setup for the first example would be to have "logged_in" as a boolean value, and assign it TRUE and FALSE.

I'd recommend using the second example, because as you scale up the SQL database will be much better, and will let you do lots of cool things in the future.

 

[CoreWeb]

Great bit of code Core, thanks for laying out in code what I was only motivated enough to explain .

My one suggestion:

Use the bottom example that uses a SQL database, because having just a $_SESSION variable named "logged_in" being set isn't as secure as I'd like, since it seems you're just seeing if it actually exists in the SESSION array. A more secure setup for the first example would be to have "logged_in" as a boolean value, and assign it TRUE and FALSE.

I'd recommend using the second example, because as you scale up the SQL database will be much better, and will let you do lots of cool things in the future.

Thanks. It was a quick bit of code though, and I didn't test it.

As for the $_SESSION checking, I ran into that problem once, I think (though I may be remembering incorrectly). I think PHP was not clearing the memory allocated for the $_SESSION variable, so an uninitialiszed $_SESSION variable could evaluate as true.

I therefore usually use something more similar to:

if ($_SESSION["logged-in"] == "LOGGED_IN"){
    //logged in
}

The chances of the uninitialized variable being "LOGGED_IN" would probably be very low.