Login Confirmation


#1

I have a website that i locked with a login page. The login page takes you to page1.html if you log in correctly. But if i just type in the website.com/page1.html you can see the page.

I discovered I can use Session_Start(), but what I got working but also affecting genuine login(s) also.So is there some code I can put up on the top to check to see if you came from the login page.


#2

you have to make your page .php
and top of the page
after

<? php tag session_start(); where the login function performing there initialize some session variables like <?php if($_POST['username']=='test' && $_POST['password']){ $_SESSION['username'] = $_POST['username']; $_SESSION['sid'] = session_id(); header("location:page1.php"); } ?>

on the page you have to check for sesssion variable are initailized at top of page

<?php session_start(); if(!isset($_SESSION['username']) && !isset($_SESSION['sid'])) { header('Location:login.php'); } ?>

you can make a single php file any name with the above checking code and include it to any page you want to show to only registered users


#3

@abrarazeem, I have done something like this but it is not allowing both genuine logins, it only returns my error message and execute the location target and the kind of login system i have is one whereby the accounts are differents from one another and so are the pages.
So I have decided to post my login code maybe that will help out.

<?php require_once("lib/db.php"); if($_POST && !empty($_POST['username']) && !empty($_POST['password'])): $username=$_POST['username']; $password=md5($_POST['password']); $query="SELECT username,password,account from login WHERE username='".$username."' AND password='".$password."'"; $row=mysql_query($query); $nos=mysql_num_rows($row); $sql_row=mysql_fetch_array($row); if($sql_row['account']=='admin') { header("location:admin.php"); } elseif($sql_row['account']=='usher') { header("location:usher.php"); } else{ echo "One of your input is wrong please check again and re-log in "; } endif; ?>

Thank you for your response


#4

All you need to do is:

  1. Change the file name for “page1.html” to “page1.php”

  2. Create a new file with the name ‘authcheck.php’.

  3. Copy the following code into the file.
    `

<?php if($_SESSION['logged_in'] !== true){ header('location:login.php'); } ?>

`

  1. At the very top of any page you like to restrict access to logged in users only, add this line of code:
<?php include_once 'authcheck.php';?>
  1. Change the content of your login.php file to this:
    `
<?php session_start(); require_once("lib/db.php"); if( isset($_POST['username']) && isset($_POST['password']) && !empty($_POST['username']) && !empty($_POST['password']) ): $username = addslashes($_POST['username']); $password = md5($_POST['password']); $query="SELECT username,password,account from login WHERE username='{$username}' AND password='{$password}'"; $row=mysql_query($query); $nos=mysql_num_rows($row); if($nos){ $sql_row=mysql_fetch_array($row); if($sql_row['account']=='admin') { $_SESSION['logged_in'] = true; $_SESSION['admin'] = true; header("location:admin.php"); } elseif($sql_row['account']=='usher') { $_SESSION['logged_in'] = true; header("location:usher.php"); } } else { echo "One of your input is wrong please check again and re-log in "; } endif; ?>

`


#5

@Doctorfox, I have tried the code but I noticed that it is not allowing both genuine and fake login.
Can u please help check the code again


#6

Is there no one in this place that can solve this issue for me? Woops


#7

You still on this matter?
Anyway, what error are you getting?


#8

@OLSylas, the code is not allowing genuine logins


#9

Are you encrypting your password before you save it in the database? If not, then you shudn’t use md5() fro password. Just try the easy way first;
`

<?php session_start(); require_once("lib/db.php"); if( !empty($_POST['username']) && !empty($_POST['password']) ): $username = mysql_real_escape_string($_POST['username']); //or mysql_escape_string($_POST['username']) $password = mysql_real_escape_string($_POST['password']); //and so on `

#10

@OLSyla. The password field in the database is set md5 but the issue i have i sthat even with all this code It is not allowing genuine logins


#11

What am saying is this.
Try the whole process without a password encryption first. unset md5 for DB store password and the verification passed password. Am even wondering how you want to decrypt a md5 password whilst verifying.


#12

@OLsylas, If I get you right, u want me to remove every verification processes, at that the pages are going, also the username and password are created by the admin all the user can do is to login. the md5 for the password has already been set in the dbase


#13

@adeleke06, thought this had been solved since.
Try replacing the double == in the first code snippet I posted with a single =.
i.e.
`

<?php if($_SESSION['logged_in'] != true){ header('location:login.php'); } ?>

`


#14

Remember that you should only include the following code in the files you wish to restrict access to.
`

<?php include_once 'authcheck.php';?>

`


#15

@doctorfox, thanks for your response but it is still d same issue. The issue is that by typing d address directly it will not allow login all it does is that it redirect u to d index page. But d issue is that you cannot login to d page irrespective of ur account type from d login page. @doctorfox that is the issue i have concerning d process. expecting ur reply soon. tks


#16

@doctorfox, thanks for your response but it is still d same issue. The issue is that by typing d address directly it will not allow login all it does is that it redirect u to d index page. But d issue is that you cannot login to d page irrespective of ur account type from d login page. @doctorfox that is the issue i have concerning d process. expecting ur reply soon. tks


#17

first i think you need to tell us what the problem is more clearly, my guess is your redirect page (the one that holds the codes u posted) doesn’t redirect, i suggest you remove the ’
’ on the first line, this can prevent the header from redirecting


#18

@codegidi , am not getting ur explanation. can u please be more elaborate