...

View Full Version : PHP Sessions / Login Script



forcerhpool
05-20-2011, 06:57 PM
I want to learn how to work with PHP sessions so i plan to build a simple admin login script.

Does anyone know of any reputable tutorials?

I'd rather do it without MYSQL as it wont store members, instead it will hold just an admin user/pass in a config file and i want it to be secure.

Thanks.

mlseim
05-20-2011, 07:05 PM
Take this online course ...
http://www.tizag.com/phpT/phpsessions.php

The secure part would be to encrypt passwords and use a secure server.


.

Horologe
05-21-2011, 12:10 AM
when you do data input a little note is to make sure you clean your data. You need to prevent SQL injection. O'Reilly has a good book on the subject.

mysql_real_escape_string() and double encrypt your password data with md5 either with a defined salt or something based on the user input.

I suggest you also use mcrypt for the rest of your data, but im just paranoid.

so either
$salt = 'crazyfish';
$encryptedpass = md5( $salt . md5($_POST['pass']));

or $encryptedpass = md5($_POST['email'] . md5($_POST['pass']));

angst
05-21-2011, 12:26 AM
login can be as simple as this;



<?
session_start(); // must be at the VERY top of all pages that GET or SET session objects


if ($_POST["user"] == "admin" && $_POST["pass"] == "password") {

$_SESSION['LoggedIn'] = true; // set login session successful!

header("location: SomePage.php"); // redirect to your admin page
} else {
echo "Sorry, try again!"; // failed login
}
?>

<html>
<head>
<title>Login</title>
</head>
<body>
<form action="login.php" method="post">
<input type="text" name="user">
<input type="password" name="pass">
<input type="submit" value="Login!">
</form>
</body>
</html>



and to check for the login session on other php pages;



<?
session_start(); // always on top

if(!$_SESSION['LoggedIn']) header("location: login.php");
?>



untested, but that should work. no database needed, no worries about injection.

Horologe
05-21-2011, 07:23 AM
you can also do like

$users = array('user0' => 'pass0','user2'=>'pass2");

to have more than one user without using a DB

forcerhpool
05-23-2011, 09:38 PM
login can be as simple as this;



<?
session_start(); // must be at the VERY top of all pages that GET or SET session objects


if ($_POST["user"] == "admin" && $_POST["pass"] == "password") {

$_SESSION['LoggedIn'] = true; // set login session successful!

header("location: SomePage.php"); // redirect to your admin page
} else {
echo "Sorry, try again!"; // failed login
}
?>

<html>
<head>
<title>Login</title>
</head>
<body>
<form action="login.php" method="post">
<input type="text" name="user">
<input type="password" name="pass">
<input type="submit" value="Login!">
</form>
</body>
</html>



and to check for the login session on other php pages;



<?
session_start(); // always on top

if(!$_SESSION['LoggedIn']) header("location: login.php");
?>



untested, but that should work. no database needed, no worries about injection.this is great thanks

forcerhpool
05-23-2011, 10:22 PM
when you do data input a little note is to make sure you clean your data. You need to prevent SQL injection. O'Reilly has a good book on the subject.

mysql_real_escape_string() and double encrypt your password data with md5 either with a defined salt or something based on the user input.

I suggest you also use mcrypt for the rest of your data, but im just paranoid.

so either
$salt = 'crazyfish';
$encryptedpass = md5( $salt . md5($_POST['pass']));

or $encryptedpass = md5($_POST['email'] . md5($_POST['pass']));

how would i incorporate this into the below script?

forcerhpool
05-24-2011, 10:29 PM
i cant get my head around the salted part, if it's hard coded into the script then surely the hacker still only needs to know the password?

angst
05-24-2011, 10:38 PM
salt is just a term used to describe the use of a secret or 'key' word used to make passwords more secure.

if you want to encrypt your hard coded passwords then you could just copy/paste the results of:


$encryptedpass = md5("YourPassword");

or using salt;




$YourSaltKey = "123";
$encryptedpass = md5($YourSaltKey . md5("YourPassword"));


but since your passwords are all hardcoded there's not much point in encrypting the passwords.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum