Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Password protection

Status
Not open for further replies.

Netwrkengeer

IS-IT--Management
Apr 4, 2001
184
US
I have a password protection script, but I don't know how to use it. I'm confused about how to protect a full section of the site, how does the script know what web pages are associated with that particular session. and how do I set this script up to access a mysql database to get authentication info.

<code>

<?php
// --------------------------------------------------------------------------------
// Topic: Authentication using cookies and filebased password/login list
// Author: Copyright (c) by Urs Gehrig <admin@circle.ch>
// Version: 1.0.0
// Update: 19-7-2000
// Licence: ?
// PHP: php-4.0.0-win32
// Browser: IE 5, Netscape 4.7
//
// Handling: This might be your startup index.php file, where you check the
// users.
//
// Enjoy!
// --------------------------------------------------------------------------------


// --------------------------------------------------------------------------------
// functions
// --------------------------------------------------------------------------------

function redirect($cmd){
?>
<SCRIPT language=JavaScript>
window.location.href=&quot;<?php echo $cmd; ?>&quot;;
</SCRIPT>
<?php
}

// --------------------------------------------------------------------------------
// main
// --------------------------------------------------------------------------------

$header = '<!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.0 Transitional//EN&quot;><HTML><HEAD><TITLE>login form</TITLE><link rel=&quot;stylesheet&quot; href=&quot;style.php&quot;></HEAD><BODY>';
$footer = '</BODY></HTML>';

if (!isset($login) and !isset($passwd) and !$valid):
echo $header;
?>
<form method=&quot;post&quot; action=&quot;<?php echo basename($PHP_SELF); ?>&quot; name=loginform>
login: <input type=&quot;text&quot; name=&quot;login&quot; maxlength=50 size=10 style=&quot;width: 90px; font-size: 10px&quot;>
password: <input type=&quot;password&quot; name=&quot;passwd&quot; maxlength=50 size=10 style=&quot;width: 90px; font-size: 10px&quot;>
<input type=submit value=&quot;login&quot; name=&quot;sent&quot; style=&quot;width: 30px; heigth: 18px; font-size: 10px&quot;>
</form>

<script language=JavaScript>
<!--
if (document.loginform) {
document.loginform.login.focus();
}
// -->
</script>
<?php
echo $footer;

elseif(isset($sent)):
$login_ok = 0;
$fp = fopen(&quot;password.txt&quot;, &quot;r&quot;);
while (feof($fp) == 0):
$line = chop(fgets($fp,1000));
$arr = split(&quot;,&quot;, $line);
if (($arr[0] == $login) and ($arr[1] == $passwd)):
$login_ok = 1;
$cookie_life = 1*24*3600; // cookie lifetime in seconds (e.g. here: 1 day)
setcookie(&quot;valid&quot;,$login_ok,time()+$cookie_life);
continue;
endif;
endwhile;
if($login_ok):
redirect(&quot;your_next_file.txt&quot;); // for first-time users
else:
?>
You better choose a valid login/password!&nbsp;&nbsp;<a href=&quot;<?php echo basename($PHP_SELF); ?>&quot;>Try again</a>
<?php
endif;
endif;

if($valid and !$sent) redirect(&quot;your_next_file.txt&quot;); // for continued use during cookie lifetime

?>

</Code>
 
Sessions sound like magic, until you know how they work.

Plain and simple, when a session is started, a file on the server is created with a unique name. Usually this file is in /tmp, or /var/tmp, but you can change the session repository location in php.ini.

The file might look like /tmp/sess_0806afc96341022fdb528109df5382bd

This file stores whatever variables are associated with that session id (the filename). Thus, if the browser proceeds to another page with the query string:
?PHPSESSID=0806afc96341022fdb528109df5382bd, then that page can now check for any variables that have been set in the session file. Thus many variables are available from one page to the next, and all we have to do is keep track of one identifier variable to access all the other ones. $PHPSESSID can also be set as a cookie, so it doesn't even need to be on the URL string (this is PHP's default behavior). This all happens automatically, whenever you use session_start() at the top of a PHP file (before any headers).

So, it's very easy for the script to &quot;know&quot; what to do with session data.

Now, I have news to break to you: the above script doesn't use sessions. It just uses a cookie to store a couple of variables. This is OK, but much more limited than sessions, and much less secure. Sessions can store any variables you want, without explicitly setting cookies for each variable.

Basically, the above script takes the user's username/password entry, then sets a cookie with several values. Upon navigating to the next page, this cookie essentially says &quot;I'm OK, they already checked me in&quot;. But that's it! Something like this can be very easily spoofed by someone who knows how to play with HTTP headers.

Some PHP authentication scripts actually store the username and password in clear text in a cookie. This is just great. Now, everytime the browser accesses another page, that cookie is passed again to the server, with username and password in plain text. A network traffic sniffer's dream. Also, there have been many documented cases of other websites capturing cookie information not meant for them.

I really recommend you take the time to study sessions a little more, or find a good authentication library that uses sessions. Try searching through
Also, read the article on sessions at
There are also several articles on sessions at -------------------

Current reading --
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top