Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder
    Join Date
    Jun 2007
    Posts
    126
    Thanks
    4
    Thanked 0 Times in 0 Posts

    PHP Sessions / Login Script

    I want to learn how to work with PHP sessions so i plan to build a simple admin login script.

    Does anyone know of any reputable tutorials?

    I'd rather do it without MYSQL as it wont store members, instead it will hold just an admin user/pass in a config file and i want it to be secure.

    Thanks.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    Take this online course ...
    http://www.tizag.com/phpT/phpsessions.php

    The secure part would be to encrypt passwords and use a secure server.


    .

  • #3
    New Coder
    Join Date
    May 2011
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    when you do data input a little note is to make sure you clean your data. You need to prevent SQL injection. O'Reilly has a good book on the subject.

    mysql_real_escape_string() and double encrypt your password data with md5 either with a defined salt or something based on the user input.

    I suggest you also use mcrypt for the rest of your data, but im just paranoid.

    so either
    $salt = 'crazyfish';
    $encryptedpass = md5( $salt . md5($_POST['pass']));

    or $encryptedpass = md5($_POST['email'] . md5($_POST['pass']));
    Last edited by Horologe; 05-20-2011 at 11:11 PM. Reason: more data.

  • #4
    Senior Coder angst's Avatar
    Join Date
    Apr 2004
    Location
    Toronto, Ontario
    Posts
    2,114
    Thanks
    15
    Thanked 122 Times in 122 Posts
    login can be as simple as this;

    PHP Code:
    <? 
    session_start
    (); // must be at the VERY top of all pages that GET or SET session objects


    if ($_POST["user"] == "admin" && $_POST["pass"] == "password") { 
      
          
    $_SESSION['LoggedIn'] = true// set login session successful!

          
    header("location: SomePage.php"); // redirect to your admin page
    } else { 
          echo 
    "Sorry, try again!"// failed login
    }
    ?>

    <html> 
    <head> 
    <title>Login</title> 
    </head> 
    <body> 
    <form action="login.php" method="post"> 
    <input type="text" name="user"> 
    <input type="password" name="pass"> 
    <input type="submit" value="Login!"> 
    </form> 
    </body> 
    </html>

    and to check for the login session on other php pages;

    PHP Code:
    <?
    session_start
    (); // always on top

    if(!$_SESSION['LoggedIn']) header("location: login.php");
    ?>

    untested, but that should work. no database needed, no worries about injection.
    Last edited by angst; 05-20-2011 at 11:30 PM.

  • #5
    New Coder
    Join Date
    May 2011
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    you can also do like

    $users = array('user0' => 'pass0','user2'=>'pass2");

    to have more than one user without using a DB

  • #6
    Regular Coder
    Join Date
    Jun 2007
    Posts
    126
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by angst View Post
    login can be as simple as this;

    PHP Code:
    <? 
    session_start
    (); // must be at the VERY top of all pages that GET or SET session objects


    if ($_POST["user"] == "admin" && $_POST["pass"] == "password") { 
      
          
    $_SESSION['LoggedIn'] = true// set login session successful!

          
    header("location: SomePage.php"); // redirect to your admin page
    } else { 
          echo 
    "Sorry, try again!"// failed login
    }
    ?>

    <html> 
    <head> 
    <title>Login</title> 
    </head> 
    <body> 
    <form action="login.php" method="post"> 
    <input type="text" name="user"> 
    <input type="password" name="pass"> 
    <input type="submit" value="Login!"> 
    </form> 
    </body> 
    </html>

    and to check for the login session on other php pages;

    PHP Code:
    <?
    session_start
    (); // always on top

    if(!$_SESSION['LoggedIn']) header("location: login.php");
    ?>

    untested, but that should work. no database needed, no worries about injection.
    this is great thanks

  • #7
    Regular Coder
    Join Date
    Jun 2007
    Posts
    126
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Horologe View Post
    when you do data input a little note is to make sure you clean your data. You need to prevent SQL injection. O'Reilly has a good book on the subject.

    mysql_real_escape_string() and double encrypt your password data with md5 either with a defined salt or something based on the user input.

    I suggest you also use mcrypt for the rest of your data, but im just paranoid.

    so either
    $salt = 'crazyfish';
    $encryptedpass = md5( $salt . md5($_POST['pass']));

    or $encryptedpass = md5($_POST['email'] . md5($_POST['pass']));
    how would i incorporate this into the below script?

  • #8
    Regular Coder
    Join Date
    Jun 2007
    Posts
    126
    Thanks
    4
    Thanked 0 Times in 0 Posts
    i cant get my head around the salted part, if it's hard coded into the script then surely the hacker still only needs to know the password?

  • #9
    Senior Coder angst's Avatar
    Join Date
    Apr 2004
    Location
    Toronto, Ontario
    Posts
    2,114
    Thanks
    15
    Thanked 122 Times in 122 Posts
    salt is just a term used to describe the use of a secret or 'key' word used to make passwords more secure.

    if you want to encrypt your hard coded passwords then you could just copy/paste the results of:

    PHP Code:
    $encryptedpass md5("YourPassword"); 
    or using salt;


    PHP Code:
    $YourSaltKey "123";
    $encryptedpass md5($YourSaltKey md5("YourPassword")); 
    but since your passwords are all hardcoded there's not much point in encrypting the passwords.
    Last edited by angst; 05-24-2011 at 09:42 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •