954,580 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
6 Months Ago
0

login security

Hi what's the code to keep the login safe. I mean after people login by entering username and password, I do not want other user to be able to access my web admin just by entering the url without login first.

Notes the admin folder has many pages too which is restricted only for administrator.

How to keep those pages secure ?

I already write the login page, but as of now, others can enter admin page by just entering the url.

davy_yg
Posting Whiz
377 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
6 Months Ago
Show Comments
-1

My friend, is not complex to do it, but must tell you, I dont do something like this in years, since i started using some RAD tools, they will create that automatically for, o will not lose time developing those security stuff anymore?

Is it good? the code? yes, good for me? yes, saves me time, but it starting to create a gap on some specific knowledge about programation.

Shamrocks
Newbie Poster
10 posts since Oct 2011
Reputation Points: 11
Solved Threads: 1
 
6 Months Ago
0

Hi davy_yg,

first, put a file named ".htaccess" in the folder you want to protect. Right now, I'm not sure, if you actually have to put something in it, or if apache won't let anyone access that page when the file exists. Just fish for some info if it's not working.

Then you have to give permission to each user that shall be allowed to access these page. Simply put a flag in your database and check on top of a script (put somewhere else than your protected folder) whether it is set or not. If the access is granted, you can include these file width "include" oder "require".
Apache will only deny HTTP-accesses. With PHP, you can still work with that folder like before.

I'm wondering if that all. But I can't think of anything else to do... Try it out and report if it's not working.

Hope that helps, Simon

sDJh
Posting Whiz in Training
259 posts since Aug 2005
Reputation Points: 56
Solved Threads: 29
 
6 Months Ago
0

See an example here:

http://www.daniweb.com/web-development/php/code/379236/page2

Have look at the last post with improved code (the code in the first post was criticised rightly for lack of security measures).

broj1
Posting Whiz
359 posts since Jan 2011
Reputation Points: 29
Solved Threads: 43
 
6 Months Ago
0

I receive this error:

Deprecated: Function session_is_registered() is deprecated in C:\xampp\htdocs\Masterlink\cgoods\admin.php on line 28

admin.php

<?php 

session_start(); 

if(!session_is_registered("username")){  

//re-direct ke index.php  
header("location:index.php");  
}  

?>


I place the above code on top of admin page.

davy_yg
Posting Whiz
377 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
6 Months Ago
0

The function session_is_registered() is deprecated (as the notice says) which means that it might be dropped in future and you are discouraged to use it. See http://php.net/manual/en/function.session-is-registered.php . Check the session variable instead, which has the same effect:

<?php 

session_start(); 

if(!isset($_SESSION['username']){
 
    //re-direct ke index.php
    header("location:index.php");
}

?>


.

broj1
Posting Whiz
359 posts since Jan 2011
Reputation Points: 29
Solved Threads: 43
 
6 Months Ago
0

there are couple of security issues to deal with
1. Prevent unauthorized logins. Here you will meet th greatest threat, SQL injection. Once you deal with that thru data validation, whitelisting and preparedstatements you are ready for next challenge.

2. You need to prevent your authentication data mostly session from being hijacked and used against system. Here you will meet jargons like session fixation et al. This can be fixed using differen techniques already on the net if you be dilligent in searching.

3. Lastly you will need to check what you are inputting/outputting. User data are never to trust, so validation validation validation then cleaning. Also when you output data you need to escape them to prevent any XSS attacks

So in summary:
Guard against SQL injection
Protect your session from any attacks
Validate/Escape inputs and outputs from and to users/browsers

I would suggest you do it if you think your level allows you or that your site is not storing sensitive info. Else I would suggest you check ready made solutions or use something like OpenID

evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 
6 Months Ago
0

The simple answer to your question. On every page you want to protect, you need to check if the user is logged in.

How to check if the user is logged in depends on your implementation.

Heres is a simple login scenario:


1) Login page with {user} and {pass}
2) Validate {user} and {pass} and issue that user a {session_key}
3) On every page you protect, check for valid {session_key}

That is all there is to password protected pages.

digital-ether
Nearly a Posting Virtuoso
Moderator
1,293 posts since Sep 2005
Reputation Points: 461
Solved Threads: 101
 
6 Months Ago
0

The function session_is_registered() is deprecated (as the notice says) which means that it might be dropped in future and you are discouraged to use it. See http://php.net/manual/en/function.session-is-registered.php . Check the session variable instead, which has the same effect:

<?php 

session_start(); 

if(!isset($_SESSION['username']){
 
    //re-direct ke index.php
    header("location:index.php");
}

?>
.


I did try placing:

<?php 

session_start(); 

if(!isset($_SESSION['username'])){
//re-direct ke index.php  

header("location:index.php");  
}  

?>


above the admin.php (admin page) but why I am still able to enter the admin page simply by typing ../admin.php without login ?

davy_yg
Posting Whiz
377 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
6 Months Ago
0

One possible reason could be that you are only checking for the existence of username in the session but not the value of it. Try it this way:

<?php 
session_start(); 

// say that user johnybegoode has successfuly logged in and $_SESSION['username'] was set
// to johnybegoode

if(!isset($_SESSION['username'] or $_SESSION['username'] !='johnybegoode')){
// re-direct ke index.php  

header("location:index.php");  
}  
?>


Another reason could be that you do not unset $_SESSION['username'] upon unsuccessful login or upon logout.

broj1
Posting Whiz
359 posts since Jan 2011
Reputation Points: 29
Solved Threads: 43
 
6 Months Ago
0

One possible reason could be that you are only checking for the existence of username in the session but not the value of it. Try it this way:

<?php 
session_start(); 

// say that user johnybegoode has successfuly logged in and $_SESSION['username'] was set
// to johnybegoode

if(!isset($_SESSION['username'] or $_SESSION['username'] !='johnybegoode')){
// re-direct ke index.php  

header("location:index.php");  
}  
?>

Another reason could be that you do not unset $_SESSION['username'] upon unsuccessful login or upon logout.

admin.php

<?php 

session_start(); 

if(!isset($_SESSION['username'] and $_SESSION['username'] !='guest')){
//re-direct ke index.php  

header("location:index.php");  
unset($_SESSION['username']);
}  

?>


Parse error: syntax error, unexpected T_LOGICAL_AND, expecting ',' or ')' in C:\xampp\htdocs\Masterlink\cgoods\admin.php on line 28

line 28: if(!isset($_SESSION['username'] and $_SESSION['username'] !='guest')){

davy_yg
Posting Whiz
377 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
6 Months Ago
0

Sorry, my typing error. It should be:

if(!isset($_SESSION['username']) and $_SESSION['username'] !='guest'){


I usualy check code before I post but haven't done so this time.

broj1
Posting Whiz
359 posts since Jan 2011
Reputation Points: 29
Solved Threads: 43
 
6 Months Ago
0

admin.php

session_start(); 

if(!isset($_SESSION['username']) and $_SESSION['username'] !='user'){
//re-direct ke index.php  

header("location:index.php");  
unset($_SESSION['username']);
}  

?>

<div id="header">
      <p><a href="#">Home </a>| <a href="index.php">Logout </a>| <a href="admin.php">Admin Panel</a></p>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
    </div>


oh, I wonder why I still able to enter the admin panel just by typing ../admin.php on the url. Maybe I have not unset session yet. How to code the unset upon logout ?

on click logout - unset($_SESSION['username']); ?

Also, is there any other necessary code before this that I need to type to set session ?

davy_yg
Posting Whiz
377 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
6 Months Ago
0

On your loging page you should start with

// start session
session_start();

// unset any session data until user submits valid username and password
unset($_SESSION);

Then when user enters a valid username (i.e johnybegoode) and password set session variables you need, such as

$_SESSION['username'] = 'johnybegoode';

Then on other pages for that user first check for valid username using the code from previous post

<?php 
session_start(); 

// say that user johnybegoode has successfuly logged in and $_SESSION['username'] was set
// to johnybegoode

if(!isset($_SESSION['username'] or $_SESSION['username'] !='johnybegoode')){
// re-direct ke index.php  

header("location:index.php");  
}  
?>

Then provide a logout link which points to the login page. When user clicks on it (logs out) the session is unset on the login page first.

Option 2: Your logout link can point to some other page (logout.php) where you can thank the user, unset session, do other cleanup, log the event etc and automaticaly redirect to login page.

Note: you can not unset session with javascript onclick directly, you have to use ajax and implement a javascript function that calls a php script that unsets the session but that is a more complex topic.

Even more important note: in this example there was nothing said about security. Make sure you do all the security exercises when dealing with input and session. See previous posts in this thread and other threads here and arround.

broj1
Posting Whiz
359 posts since Jan 2011
Reputation Points: 29
Solved Threads: 43
 
6 Months Ago
0

Well, this is some things that I have done:

This is the code to proses the login page:

proseslogin.php

<?php

// start session
session_start(); 

// unset any session data until user submits valid username and password
unset($_SESSION);

$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$login = isset($_POST['login']) ? $_POST['login'] : '';

//function
function periksa ($username, $password){
		if (($username=="guest") and ($password=="guest")){
			return true;
		}else{
			return false;
		}
	}	
	
// cek		
if (periksa($username, $password)) {
		$login=true;	
}
else {
		echo "Wrong user ID or password!";
		
		header("Location: http://localhost/Masterlink/cgoods/index.php");
}
if ($login) {
	echo "Di sini blok aplikasi setelah login dilakukan";
	echo "You are successfully login!";
	
	// buat session username
	$_SESSION['username'] = 'guest';	
	header("Location: http://localhost/Masterlink/cgoods/admin.php");
	Exit();
}


?>


This is the code on top of the admin page:

admin.php

<?php 

session_start(); 

if(!isset($_SESSION['username']) and $_SESSION['username'] !='guest'){
//re-direct ke index.php  

header("location:index.php");  
unset($_SESSION['username']);
}  

?>

<div id="header">
      <p><a href="#">Home </a>| <a href="logout.php">Logout </a>| <a href="admin.php">Admin Panel</a></p>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
    </div>


logout.php

<?php

echo "You will be logout from the admin page.";

// unset any session data 
unset($_SESSION);
		
header("Location: http://localhost/Masterlink/cgoods/index.php");
Exit();


?>


My question is why I am still able to enter the admin page (../admin.php) without login or just by typing the url ?

what's lacking in my codes ?

davy_yg
Posting Whiz
377 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
6 Months Ago
0

On the proseslogin.php page, line 39 shoud make more sense if it was:

$_SESSION['username'] = $username;

so it works for any user.

On the admin.php page do unset first and then redirect (swap lines 9 and 10).

On the admin.php page the condition statement is wrong. It should be:

if(!isset($_SESSION['username']) or $_SESSION['username'] !='guest')

But I am confused here since I assume that guest should not be allowed to access admin page!? So what is really the condition you want to check?

broj1
Posting Whiz
359 posts since Jan 2011
Reputation Points: 29
Solved Threads: 43
 
6 Months Ago
0

guest is just sample user. I won't use that user in actual.

but the thing is I am still able to access the admin page just by typing ../admin.php

I already fix the code as directed. I also already logout.

I try to login back just by typing the previous url ../admin.php and I directly login to admin without having to type the username and password.

davy_yg
Posting Whiz
377 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
6 Months Ago
0

Make sure you do not send any character (not even a space) before header directive on line 9 otherwise the header will not be sent. You can test that if you put the code

if(headers_sent()) {
    echo 'Headers have already been sent';
}


after line 10 on admin.php. If you see this notice than you have sent some contents before sending the headers.

If you post complete code for your pages I can test them in my environment but not before tomorrow since I have to finish a project for the customer tonight. Meanwhile you can put the following code:

print_r($_SESSION);


or

die($_SESSION);


in various places to check wheter the contents of the session is what it should be. Appropriate places would be lines 8 and 12 in admin.php, line 8 in logout.php etc.

broj1
Posting Whiz
359 posts since Jan 2011
Reputation Points: 29
Solved Threads: 43
 
6 Months Ago
0

unset session then destroy it

unset($_SESSION);
session_destroy();
evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 
6 Months Ago
0

Now, after I destroy session, I cannot login at all to admin.php by entering the url nor by login.

I insert session_destroy(); by accident in proseslogin.php instead of in logout.php only. Now I leaving session_destroy(); in logout.php only.

I still unable to login though evenif I enter the correct username and password.

----------

Nevermind, I am able to login back by using the correct username and password after commenting out unset($_SESSION); in proseslogin.php and using it back. But then, the condition returning to first condition where I am able to enter admin.php by url besides login.

davy_yg
Posting Whiz
377 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 

This question has already been solved

Post: Markdown Syntax: Formatting Help
You
 
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed