Authenticating Users

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • tdrsam
    New Member
    • May 2015
    • 97
    #1

    Authenticating Users

    I'm trying to set up a really basic login system where the user logs in, but I want to set up some pages in the site so that there's a redirect to the login page if someone tries to access a protected page without being logged in.

    So, this is how I'm checking the username and password:

    Code:
    <?php
session_start();
include ('includes/DbCon.php');

// username and password sent from form 
$user=$mysqli->real_escape_string($_POST['user']);
$password=$mysqli->real_escape_string($_POST['password']);

$sql="SELECT * FROM xyz WHERE user='$user' and password='$password'";
$result=$mysqli->query($sql);

// Mysqli_num_rows is counting table rows
if(mysqli_num_rows($result) == 1){
    $row = mysqli_fetch_array($result, MYSQLI_BOTH);

// Register $user, $password and redirect to admin area

$_SESSION['user']=="admin";
$_SESSION['password']=="password";

echo '<script type="text/javascript">';
echo 'document.location.href = "/pc.v.2/admin.php";';
echo '</script>';

}
else {
echo '<script type="text/javascript">';
echo 'alert("Invalid Username or Password");';
echo 'history.back();';
echo '</script>';

}
mysqli_close($mysqli);
?>
    And at the top of the protected pages, I've added this to check for session details:

    Code:
    <?php
session_start();
if(!isset($_SERVER['PHP_AUTH_USER'])) {
header("location:login.php");
}
else{
echo '<script type="text/javascript">document.getElementsByClassName("login").innerHTML="Logout";</script>'; 
echo "</script>";
}
?>
    But when I try to login, I just get redirected back to the login page. It seems like the authentication isn't communicating with the $_SESSION. Where am I going wrong here?
    Tags: None
    • Dormilich
      Recognized Expert Expert
      • Aug 2008
      • 8694
      #2
      there are several things wrong.

      - $_SERVER['PHP_AUTH_USER'] is used for HTTP Basic Authentication (which does not rely on sessions), not for form based logins.

      - you should not rely on JavaScript based redirects. you can use PHP’s header() function for that.

      - lines #19, #20 are completely useless.

      - you never ever save a password itself (neither in a session nor in a database nor elsewhere), only its hash. use PHP’s password_hash() function for that.

        Comment

        • tdrsam
          New Member
          • May 2015
          • 97
          #3
          I must admit that I'm not entirely sure about $_SERVER['PHP_AUTH_USER'] but it seems to work ok for the system I'm building, which is a very basic admin area, and only has one set of login details.

          I had a lot of trouble with PHP header's. I kept getting errors, so I switched to javascript redirects which seem to work ok.

          I checked on lines 19 & 20 and they actually do perform a function. At least line 19 does. I commented out both lines and was unable to use the login system (redirect back to login page after entering correct login details) so I put line 19 back and it's fine, so that line must be registering the session. Line 20 was useless though.

          I'll probably set up the password hash before this goes live.

          Thanks for the tips.

            Comment

            • Dormilich
              Recognized Expert Expert
              • Aug 2008
              • 8694
              #4
              I checked on lines 19 & 20 and they actually do perform a function.
              then you have other lines.
              Code:
              $_SESSION['user']=="admin";
$_SESSION['password']=="password";
              does absolutely nothing. it’s the same as writing
              Code:
              1 == 2;
              I had a lot of trouble with PHP header's. I kept getting errors
              that’s why you normally make the output the last thing in your script. (cf. IPO Model)

                Comment

                • tdrsam
                  New Member
                  • May 2015
                  • 97
                  #5
                  I could swear there were some other replies to this question that I can't find now. There was one explaining that those lines were incorrect because of the double equals signs. They needed single ones, which was correct. You're right about the second one (the password one), that was doing nothing.

                  I found I needed two headers in a single script, so I went with the j.s. redirects instead.

                    Comment

                    • Dormilich
                      Recognized Expert Expert
                      • Aug 2008
                      • 8694
                      #6
                      There was one explaining that those lines were incorrect because of the double equals signs.
                      if those lines where in a comparison statement (e.g. if()) then there are some cases where it could make a difference (esp. when the session value is not a string).

                      I still say that the lines as posted do nothing at all.

                        Comment

                        Previous template Next
                        Working...