php private area in php (no database) - customization

[scareface]

hi there

I'm setting up a private area for a website, the private area is in php whit the username/password stored in a php file there's no need for a database in mysql.

after trying a lot of different php scripts I found whit this one that suits my case well.

everything is working fine but I would like to add two things, as my new to php I didn't got it working fine

- a logout page that deletes the cookies
- deny the direct acces to protected files if the user is not logged (so I suppose a php control over the cookie)

the script is basically this two php files:

login form
form.php

PHP Code:

<head>
<title>Private area</title><?
require ("config.php");?>
<link href="form1.css" rel="stylesheet" type="text/css">
<link href="button.css" rel="stylesheet" type="text/css">

<link href="orsa2.css" rel="stylesheet" type="text/css">
<style type="text/css">
.style1 {
    font-weight: bold;
    text-decoration: underline;
    font-size: 17px;
}
</style>
</head>

<div align="center">
<form name="Offmania_Pages_Protected" method="post" action="invia.php">
<table width="<? echo $lunghezza_tabella ?>" border="0" align="center" cellpadding="0" class="tabella">
          <tr> 
            <td><span class="titlefont">Utente</span></td>
          </tr>
          <tr> 
            <td>
            <input name=primo class="form1" size="<? echo $lunghezza_campo1 ?>" maxlength="<? echo $lunghezza_max_campo1 ?>" style="width: 140px"><br></td>
          </tr>
          <tr> 
            <td><span class="titlefont">password</span></td>
          </tr>
          <tr> 
            <td>
            <input name=secondo type="password" class="form1" size="<? echo $lunghezza_campo2 ?>" maxlength="<? echo $lunghezza_max_campo2 ?>" style="width: 140px"></td>
          </tr>
          <td><input type="submit" name="Submit" value="Entra" class=button > 
            <input type="reset" name="Submit2" value="Cancella" class=button > 
            <?
echo "<input type=hidden name=ipadress value=$REMOTE_ADDR>";
echo "<input type=hidden name=referer value=$HTTP_REFERER>";
echo "<input type=hidden name=ora value=$ora>";
echo "<input type=hidden name=data value=$data>";
?>
          </td>
    
        </table></form>
                                </div>

invia.php

contains the username/passwords, the link to the protected pages as well the link to the error file

PHP Code:

<title>Private area</title>
<?
require ("config.php");?>
 <html><head></head><body margineight="50">
<? 
if ($primo == "Admin" and $secondo == "Admin")

    {
     include ("area/1.php");  ### protected page of the firs user
}
elseif ($primo == "demo" and $secondo == "demo")
    {
    include ("area/2.php");  ### protected page of the second user
}
########### decommentare (eliminare #) per aumentare le pagina de proteggere naturalmente se ne possono aggiungere altre

###elseif ($primo == "3" and $secondo == "33")
###    {
###    include ("protette_000p/esempio3.php");  ### indirizzo della pagina da proteggere in cui si accede dopo la login
###}
###elseif ($primo == "4" and $secondo == "44")
###    {
###    include ("protette_000p/esempio4.php");  ### indirizzo della pagina da proteggere in cui si accede dopo la login
###}
############
else (include "area/err.php");  ### error page
?>
</body></html>

so what part of the php code do I have to change to get that issues fixed?!

many thanks!!!

[JasonDFR]

Code:

<?php session_start();?>			
<?php

if ( isset($_POST['login']) ) { // Login branch
	
	$_SESSION['LOGGED_IN'] = false; // Assume false

	// Process Login
	
	$user_name = $pass_word = false;

	if ( !empty($_POST['user_name']) && !empty($_POST['pass_word']) ) {
	
		$user_name = $_POST['user_name'];
		$pass_word = $_POST['pass_word'];
		
		if ($user_name == "admin" and $pass_word == "admin") {
	
			$_SESSION['ADMIN'] = true;
			header("Location: area/2.php"); ### protected page of the first user
			exit;
			
		} elseif ($user_name == "demo" and $pass_word == "demo") {
		
			$_SESSION['DEMO'] = true;
			header("Location: area/2.php");  ### protected page of the second user
			exit;
			
		} else {
		
		     header("Location: area/err.php");  ### error page
		     exit;
		}
	
	} else {
		
	        header("Location: area/err.php");  ### error page
		exit;
	
	}

}
?>

******* PUT YOUR HTML HEADER HERE *******

<div id="content">

	<form id="login" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
				
		<h2>Login</h2>
					
		<fieldset>

			<legend>Enter your information below</legend>
						
			<label for="user_name">User Name</label>
			<input type="text" id="user_name" name="user_name" value="" />

			<label for="pass_word">Pass Word</label>
			<input type="password" id="pass_word" name="pass_word" value="" />
						
			<input type="hidden" name="login" value="1" />

			<p><input name="submit" type="submit" /></p>

		</fieldset>

	</form> <!-- end login -->

</div> <!-- end content -->
			
****** PUT YOUR HTML FOOTER HERE ******

Then on area/1.php and area/2.php put this (change ADMIN to DEMO for 2.php):

Code:

<?php session_start(); ?>
</php
if ( isset($_SESSION['ADMIN']) ) {
	if ( $_SESSION['ADMIN'] == true ) {
?>
THIS AREA IS PROTECTED. ONLY 'ADMIN' CAN SEE IT

******* PUT YOUR HTML HEADER HERE *******

			<div id="content">
			
			</div> <!-- end content -->
			
******* PUT YOUR HTML FOOTER HERE *******
<?php		
	} else {
		exit("Go Away");
	}
} else {
	exit("Go Away");
}
?>

There might be one or two mistakes in my code. I didn't test it out. This is also pretty basic security. You can easily build on it to make it more advanced as you learn more.

I'll let you or someone else figure out the logout part. I'll give you a hint: session_destroy();

Good Luck.