Login Problems...

[jabird]

This has been posted in a previous thread, though it was off-topic and stopped getting replies, so I thought I'd put it here, to give my current problem more exposure... so sorry if you've read this already.

Ok, in index.php I have an if, else script... if I'm logged in, it gives me a link to the admin section, and a logout button, else, it gives me a login link...

So I goto index.php, select login, give it my user/pass, it takes me to admin.php, when I click view site, it acts like I'm not logged in... I click login, it asks me to login again...

Also, anytime I directly access admin.php, it tells me I'm using an incorrect username... it never includes login.php...

I will post some code if you need it...

Thanks,

[bigduke]

can you post your script in [ php][/ php] tags please?

[jabird]

eh... my login pages are:

index.php
login.php
includes/login.inc.php
admin.php
includes/secure.inc.php
includes/access.inc.php
includes/conf.php

which one(s) do you need?

~Jabird

[jabird]

Any ideas?

[spikeZ]

Post login.php, admin.php and outline briefly what is in the includes.

Cheers

SpikeZ

[jabird]

login.php:

PHP Code:

<?php require_once 'includes/login.inc.php'; ?>

login.inc.php:

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="httpd://www.w3.org/1999/xhtml">
<head>
<title><?php echo $page_title; ?> - Login Required for Acess</title>
<meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Please log in for access</h1>
<div>
    <form action="admin.php"
        method="post">
    <label>User name:
        <input type="text" name="username" /></label><br />
    <label>Password:
        <input type="password" name="password" /></label>
    <input type="submit" value="Log In" />
</form>
</div>
</body>
</html>

admin.php:

PHP Code:

<?php require 'includes/secure.inc.php'; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "httpd://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title><?php echo $page_title; ?> - Administration Area</title>
<meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Administration Options</h1>
<ul>
    <li><a href="index.php">View Site</a></li>
    <li><a href="editindex.php">Add News</a></li>
    <li><a href="addauthor.php">Add a new Author</a></li>
    <li><a href="authors.php">View Authors</a></li>
</ul>
<p><a href="<?php echo $_SERVER['PHP_SELF']; ?>?logout=1">Logout</a></p>
</body>
</html>

secure.inc.php:

PHP Code:

<?php
require_once 'access.inc.php';
if (!loggedIn()) {
    include 'login.inc.php';
    exit;
}
?>

I could crawl deeper if you need, but that probly gets the idea across...

[spikeZ]

where is loggedIn() being set?
are you sure it is set correctly?
there is a possiblility that it isn't if you are getting booted out after having logged in.

[jabird]

access.inc.php:

PHP Code:

<?php
require_once 'conf.php';

if(!isset($_SESSION['authorized'])) {
    if(array_key_exists($_POST['username'], $users)) {
        // the user entered a valid username, test the password
        if($_POST['password']!=$users[$_POST['username']]) {
            // incorrect password!
            die('Incorrect Username or PASSWORD!');
        } else {
            $_SESSION['authorized'] = true;
        }
    } else {
        // unkown username
        die('Incorrect USERNAME or Password!');
    }
}

function loggedIn() {
    return isset($_SESSION['authorized']);
}

// Process logout
if (isset($_REQUEST['logout'])) {
    unset($_SESSION['authorized']);
}
?>

Has the loggedIn() function...

[jabird]

Also, in order to password protect a page, i would add:

<?php require 'includes/secure.inc.php'; ?>

well, index.php isn't password protected, but I want it to check if someone is logged in, so it shows the right links... how would I do this?

~jabird

[ColinHughes]

Can you post your conf.php code

Colin

[jabird]

PHP Code:

<?php
################################
## All content is © Copyright ##
## Jacob D. Jerrell and C & S ##
##          Consulting        ##
## If you have any questions, ##
##   Look in /docs/contact    ##
################################
// MySQL information
$site_ip = 'localhost'; // localhost will usually work just fine
$mysql_user = 'mysql'; // Your MySQL username
$mysql_pass = 'password'; // Your MySQL password
$database = 'name'; // Your database name
// Global Variables
$page_title = 'JabirdCMS'; // Shows up at the top of all pages
$users = array();  // DO NOT CHANGE!
## I have set this up for 2 admins, because for the
## project I made this for, 2 where needed, and I thought it might be nice to have two anyway...
## TO USE:
## The first line is admin #1
## Edit the part in brackets for your username (Leave the quotes)
## edit the part outside the brackets "yourpass" for your password (leave the quotes)
## do the same for admin #2...
## NOTE: If you only want 1 admin, just use the same user/pass you used in the first line.
$users['admin1'] = 'pass1';
$users['admin2'] = 'pass2';
?>

[ColinHughes]

Are you putting <?php require 'includes/secure.inc.php'; ?> on the very first line of each page you are trying to protect?

[jabird]

Yes, the only protected page so far, is admin.php, let me add it to another and see if it keeps the loggedIn setting...

[jabird]

Ok, when I add that to a file I want protected, it says:

"Incorrect USERNAME or Password!"

Which is another problem I think I left out, I can goto login.php and login, then it takes me to admin.php and it works, but when I goto admin.php, it tells me incorrect user/pass, instead of showing me the page or showing me login.php...

Thanks,


EDIT: 100th Post

[ColinHughes]

Can you view admin.php if you enter it into your browser? You say "when I click view site" are you attempting to navigate away from admin.php and look at other pages?

Colin

[jabird]

if I enter admin.php in my browser, it says:

Incorrect Username...

if I login, it takes me to admin.php, in admin.php there is a link called "View Site" when that is clicked it takes me to index.php...

[spikeZ]

Why not try a different login system? This one seems a little over complicated for what you want to do. Not to mention less secure.

If you want to verify a user from hard coded values and not database, there are other ways of doing it!

BTW Congrats on the 100 posts

[jabird]

The login script I wrote there, was made from loosely following:

"Build Your Own Database Driven Website Using PHP & MySQL" by Kevin Yank.

I have OBSOLUTELY no problem with a database-based login system, because when I get the admin section in place and all, I'll be able to make users, and I want to submit there username/pass(md5hashed) to a database anyway...

If you could point me to a good guide for something like this, that would probly work wonders

Thanks,

[spikeZ]

If I come across one, I will post it! have a look on zend.com, they usually have some fine tutorials as well as Sitepoint (obviously!)

Cheers

Mike

[ColinHughes]

I put this together a while ago maybe it will be of use:

Login.php

PHP Code:

<?php

// Initialize Session
session_start();
header ("Cache-control: private") ; //IE 6 Fix


// Check for previous authentication
if ( isset($_SESSION['auth']) )
{

$loc = 'index.php' ;
header("location:$loc");
exit;
}

// Error Messages
$msg = array();
$msg['login'] = 'Login to access client section';
$msg['invalid'] = 'Username/password incorrect';
$msg['logout'] = 'Log out successful';

// Check for error
if ( isset($_GET['reason']) && !empty($_GET['reason']) )
{
$error = $_GET['reason'];
echo '<font color="#FF0000"><b>' . $msg[$error] . '</b></font><br />';
}

?>

<FORM method="post" action="process_login.php" onSubmit="return validateForm(this)">
<p align="center">
<p>Please enter your Username and Password below and Login.</p>
<p>Username:
<input type="text" name="username" value="" class="inputbox">
<br>
<br>
Password:
<input type="password" name="password" value="" class="inputbox">
<p class="copy">
<input type="submit" name="do_login" value="Login" class= "button">
</p>
</form>

Process_login.php:

PHP Code:

<?php

// Initialize Session
session_start();
header ("Cache-control: private") ; //IE 6 Fix

// Check for previous authentication
if ( isset($_SESSION['auth']) )
{

$loc = 'index.php' ;
header("location:$loc");
exit;
}

// Database Connection
$dbh = @mysql_connect('localhost','','');
if ( !$dbh )
{
die ('Database Error - Connect');
}
@mysql_select_db('your_database',$dbh);

// Get Form Contents
if ( isset($_POST['do_login']) )
{
$username = trim($_POST['username']);
$password = trim($_POST['password']);

$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password' LIMIT 0,1";

$result = @mysql_query($sql);
if ( !$result )
{
die('Database Error - Query');
}
if ( mysql_num_rows($result) == 1 )
{
$_SESSION['auth'] = 1;
$_SESSION['username'] = $username;

$loc = 'index.php';
header("location:$loc");
exit;
}
else
{
$loc = 'login.php?reason=invalid';
header("location:$loc");
exit;
}

}
else
{
$error_loc = 'login.php?reason=login';
header("location:$error_loc");
exit;
}

?>

Index.php:

PHP Code:

<?php //<-- Place this at line 1 of page you want to protect

// Initialize Session
session_start();
header ("Cache-control: private") ; //IE 6 Fix

// Check for previous authentication
if ( !isset($_SESSION['auth']) )
{
$loc = 'login.php?reason=login';
header("location:$loc");
exit;
}

?>

Logout.php:

PHP Code:

<?php

// Initialize Session
session_start();

// Destroy Session
$_SESSION = array();
session_destroy();

// Redirect to login.php
$loc = 'login.php?reason=logout';
header("location:$loc");
exit;

?>

Datapage.php

PHP Code:

<?php //<-- Place this at line 1 of page you want to protect

// Initialize Session
session_start();
header ("Cache-control: private") ; //IE 6 Fix

// Check for previous authentication
if ( !isset($_SESSION['auth']) )
{
$loc = 'login.php?reason=login';
header("location:$loc");
exit;
}

?>


<?php
// connect to database

$dbcnx = @mysql_connect('localhost', '', '');
if (!$dbcnx) {
echo( '<p>Unable to connect to the ' .
'database server at this time.</p>' );
exit();
}

if (! @mysql_select_db('your_database') ) {
die( '<p>Unable to locate the ' .
'database at this time.</p>' );
}
?>


<?php
$result = mysql_query("SELECT * FROM tablename
WHERE username= '". $_SESSION['username']."'") or die (mysql_error());

while ($row = mysql_fetch_assoc($result)) {
print $row['fieldname'];
}
?>

Colin

[jabird]

Index.php:

PHP Code:

<?php //<-- Place this at line 1 of page you want to protect

// Initialize Session
session_start();
header ("Cache-control: private") ; //IE 6 Fix

// Check for previous authentication
if ( !isset($_SESSION['auth']) )
{
$loc = 'login.php?reason=login';
header("location:$loc");
exit;
}

?>

So if I don't want index.php to be protected, I don't add that, but for any script I want protected, I would add that little script?

Thanks alot, this should help a bunch...

EDIT: Also, again, I want index.php to have a script that checks if I'm logged in, and if I am, it has a logout link and a link to admin.php if I'm not logged in, it has a login link...

EDIT2: Again, is datapage.php required? or just an example page?

[ColinHughes]

PHP Code:

<?php //<-- Place this at line 1 of page you want to protect

// Initialize Session
session_start();
header ("Cache-control: private") ; //IE 6 Fix

// Check for previous authentication
if ( !isset($_SESSION['auth']) )
{
$loc = 'login.php?reason=login';
header("location:$loc");
exit;
}

?>

This simply checks for the session variable on each protected page. If the variable has not been set it brings up the login page.

Have fun

Colin

[ColinHughes]

datapage is just an example.

Colin

[jabird]

Now, in index.php I want it to check if I'm logged on, and if I am, it shows:
<a href='admin.php'>Admin</a>
<a href='logout.php'>Logout</a>

if I'm not logged in, it shows:

<a href='login.php'>Login</a>

how do I do this, without requiring someone to login to view index.php?

EDIT: Ok, I am setting up my database to work with your script...

So would I make something like:

CREATE TABLE users (
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
username TEXT,
password TEXT(?)
);

? And then just setup your script to make use of that? or am I way off?

[ColinHughes]

Hey Mike

You want to take over here with if else statements