Help w/ REALLY simple login script

[tonyking]

Ok, I am making this WAY too complicated, can anyone help!? All I am trying to do is password protect pages with a cookie. The very first index page has a form which will post 1 variable to a script which will validate 1 and only 1 password, and if correct generate a cookie, and redirect the user to the main content.

All the content would have a little snippet that checks for the cookie, else redirecting back to the very first page.

I have tried, and tried, and tried some more, and my crappy script keeps breaking I am sure this is nothing for one of you gurus out there, can anyone lend a hand please?

[Nile]

I would need to see your code to help you. So please post your code, in the future too.

[tonyking]

This is the code, but it's not really what I wanted, which is why I didn't post it. But I guess it's a start!

PHP Code:

<?php

$thepass    =    "mypassword";
$notlogged    =    "Please Login";
$errormsg    =    "Invalid Password"; 
$loc_action    =    "test.php";
$loc_succ    =    "test.php"; 
$loc_error    =    $PHP_SELF; 
$but_log    =    "Login";   

$pass        =    $_POST['pass'];
$logged        =    $_COOKIE['logged'];
$mod        =    $_POST['mod'];
if($logged != "1"&& $mod != "login") {
    echo '<div style="margin:0 auto; text-align:center; width:1000px;">
          <div style="width:auto; margin-top:220px; margin-left:-350px;">
          <form name="login" method="post" action="'.$loc_action.'">
          <input type="text" name="name" class="cleardefault" size="20" value="Enter Password" />
          &nbsp;&nbsp;&nbsp;
          <input type="Submit" name="Submit" value="Submit" />
          </form>
          </div>
          </div>';
    if($_GET['msg'] == "err") {
        echo '<div style="margin:0 auto; text-align:center; width:1000px;">
          <div style="width:auto; margin-top:220px; margin-left:-350px;">
          <form name="Submit" method="post" action="login.php">
          <input type="text" name="name" class="cleardefault" size="20" value="Enter Password" />
          &nbsp;&nbsp;&nbsp;
          <input type="Submit" name="Submit" value="Submit" /><br>
          <font color="red">'.$errormsg.'</font>
          </form>
          </div>
          </div>';
    }
    die;
}

elseif($logged != "1"&& $mod == "login") {
    if($pass == $thepass) {
        setcookie("logged", "1");
        header("Location: ".$loc_succ);
    } else {
        header("Location:".$loc_err."?msg=err");
    }
   
}
?>

It's not really want I want, but I was trying to get something to work. I need the form to post to an independent action, which creates the cookie. Then I wanted a separate include in all my "protected" pages that either redirects back to the login form, or allows them to view the page. I don't know how to go about doing this at all, i'm a php-scoob.

Thanks for any help you can provide.

[allahverdi]

There are lots of ways to make a login script. I think SESSION is good, better than Cookies. I can make one for you easily, pm me or email: allahverdi.suleymanov@gmail.com .

[tonyking]

Ok with the help of Allahverdi here is script I am using:

Form action = login_process.php

PHP Code:

<?php
session_start();
$username = $_POST['user'];
$password = $_POST['pwd'];
if($username == "tony" && $password == "king888"){
$_SESSION['logineduser'] = "tony";
header("Location: /main/index.php");
}
else{
header("Location: index.php?error=true");
}
?>

That works fine as far as I can tell. Error traps and message diplays at this snippet:

PHP Code:

<?php if($_GET['error']){
echo"<b>Password is incorrect!</b></font>";
}
?>

The login directs fine to another directory (/main/) to a new "protected" index.asp with the following code:

PHP Code:

<?php
session_start();
if(!$_SESSION['logineduser'] || $_SESSION['logineduser'] != "tony"){
header("Location: index.php?error=2222");
}
if($_GET['logout']){
unset($_SESSION['logineduser']);
header("location: ../index.php");
}
?>

For some reason beyond my knowledge, the logout session doesn't actually clear the session? After clicking "log out" the user is taken back to the main index page which is what I want, but they can now view any url directly by typing it in the browser bar. If I close the browser and try to hard link it, it throws up a weird error about the page isn't redirecting properly. Anyone know why? And how to get this top function differently, or is this just the drawback of using a session instead of a cookie?

Edit: Here is the link on the protected page to logout:

Code:

<a href="../?logout=true">Logout</a>

[calumogg]

You might want to remove your password from the script for security.

[tonyking]

Just a test password, but thanks for the advice, and the only thing its protecting is a script I can't get to work right... lol

[google503]

You don't need to use php. Javascript is probably much easier and it encrypts the password. Just use: http://www.dynamicdrive.com/dynamicindex9/password.htm which generates the encryptions and change the numbers to what you get. Then when you
enter it it will direct you to the page of 'whateveryourpasswordwas.htm'.

Code:

<script>
function submitentry(){
password = document.password1.password2.value.toLowerCase()
username = document.password1.username2.value.toLowerCase()
passcode = 1
usercode = 1
for(i = 0; i < password.length; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);
}
//CHANGE THE NUMBERS BELOW TO REFLECT YOUR USERNAME/PASSWORD
if(usercode==134603040&&passcode==126906300)
//CHANGE THE NUMBERS ABOVE TO REFLECT YOUR USERNAME/PASSWORD
{
window.location=password+".htm"}
else{
alert("password/username combination wrong")}
}
</script>

<form name="password1">
<strong>Enter username: </strong>
<input type="text" name="username2" size="15">
<br>
<strong>Enter password: </strong>
<input type="password" name="password2" size="15">

<input type="button" value="Submit" onClick="submitentry()">
</form>

[Master_script_maker]

Important: In general JavaScript password scripts are significantly less secure that their CGI counterpart. If your server supports CGI, the ideal method of password protection is via that route.

a hacker could just look at the source code and undo the char codes and subtract a 1 from the front, and enter what he finds.Changing the password to charCodes with a one in front is not encryption and can be easily undone, please do not use it for password protection. Php is easily more secure, can't be seen, and should be used.