Adjusting a php-login script to multiple users and pages

[Gert]

I still have this simple loginscript that works pretty well with a single username. It also redirects to only 1 page.

For the site i'm working on right now, i need to have 2 different usernames each redirecting to another page. Is there any way to adjust the existing script?

PHP Code:

<?php
/* secret.php
 CONSTANT DECLARATIONS - DO NOT CHANGE UPPERCASE CONSTANTS.
 Change lowercase values only
*/
/* Administration */
define("ADMINUSER", "admin"); /* your administration login name - modify - you make it up */
define("ADMINPASSWORD", "admin"); /* your administration password - modify - you make it up */
/* below is the webpage you will go to if your login is successful */
define("ADMINHOME", "test.php"); /* your administration page name - modify - the page you go to if the login is successful: Example: admin.php */
?>

PHP Code:

<?php
//adminLogin.php
//
// requires for multi applications inter-operability using same admin-Login-Only module
if(file_exists("secret.php")) { // admin-Login-Only admin user and password file
    require_once("secret.php");
}
// begin SECURITY - DO NOT CHANGE!
// initialize or retrieve the current values for the login variables
$loginAttempts = !isset($_POST['loginAttempts'])?1:$_POST['loginAttempts'];
$formuser = !isset($_POST['formuser'])?NULL:$_POST['formuser'];
$formpassword = !isset($_POST['formpassword'])?NULL:$_POST['formpassword'];
if(($formuser != ADMINUSER ) || ($formpassword != ADMINPASSWORD )) {
    if ($loginAttempts == 0) { /* 1 strikes and they're out */
        $_POST['loginAttempts'] = 1;
        include("meplog.php");
        exit;
    }else{
        if ( $loginAttempts >= 1 ) {
            header("Location: http://www.meppers.nl/index.php");
            exit();
        }else{
            header("Location: http://www.meppers.nl/index.php");
            exit();
        }
    }
}
/* test for valid username and password
   if valid then initialize the session
    register the username and password variables
    and include the ADMINHOME page
*/
if (($formuser == ADMINUSER ) && ($formpassword == ADMINPASSWORD )) {    // test for valid username and password
    session_start();
    $_SESSION['adminUser'] = ADMINUSER;
    $_SESSION['adminPassword'] = ADMINPASSWORD;
    $SID = session_id();
    $adminHome = ADMINHOME;
    header("Location: http://www.meppers.nl/".$adminHome);
    exit();
}    
?>

PHP Code:

<?php 
//adminLogOut.php
//
/*
If you enable register_globals, session_unregister() should be used since session 
variables are registered as global variables when session data is deserialized.
http://www.php.net/manual/en/ref.session.php
*/
session_start();
function session_clear() {
// if session exists, unregister all variables that exist and destroy session
  $exists = "no";
  $session_array = explode(";",session_encode());
  for ($x = 0; $x < count($session_array); $x++) {
    $name  = substr($session_array[$x], 0, strpos($session_array[$x],"|")); 
    if (session_is_registered($name)) {
      session_unregister('$name');
      $exists = "yes";
    }
  }
if ($exists != "no") {
    session_destroy();
    }
}
session_clear();
?>

PHP Code:

<?php
//adminOnly.php
//
session_start();
if(   (!isset($_SESSION['adminUser'])) || (!isset($_SESSION['adminPassword'])) ) {
    include_once("adminLogin.php");
    exit;
}
// requires for multi applications inter-operability using same admin-Login-Only module
if(file_exists("secret.php")) { // admin-Login-Only admin user and password file
    require_once("secret.php");
}
/* adminOnly.php
   if the session variables are not set or are incorrect values 
   then present the login screen
*/
if( ($_SESSION['adminUser'] != ADMINUSER) || ($_SESSION['adminPassword'] != ADMINPASSWORD) ) {
    include_once("adminLogin.php");
    exit;
}else{?>
<?php }?>

and the protected pages have the following line on top

PHP Code:

<?php require_once("adminOnly.php");?>

[Nile]

Try an mysql one, or a xml one:

MySQL
XML

[Gert]

The xml is way to extensive (no need for registration and other features) and the mysql one.... well there is hardly any explaination on where to put the scripts, etc.
I'm not a coder, i'm just someone who can adjust a fairly simple script to his own needs.

I didn't wrote the script I put on before myself. I just know where to change it to get it to work with pages i'm using it for.
So there is no way to adjust it to multiple-user/page?

All it needs to do is redirect a user with login "a" and pw "b" to page "c"
and anotherone with login "x" and pw "y" to page "z".
no need to add more users or pages

It's for the members of our team to go to a protected team-only page and with the same form i would like to redirect coaches and people who run the club to a page where they can upload stuff, put the gameresults online, etc.

[Nile]

Not tested:

PHP Code:

<?php
session_start();

$logins[0]["user"] = "a";
$logins[0]["pass"] = "b";
$logins[0]["redirect"] = "c.php";

$logins[1]["user"] = "x";
$logins[1]["pass"] = "y";
$logins[1]["redirect"] = "z.php";

// No need to edit below, except the errors

if(isset($_POST['submit'])){ //is the form submitted?
  if(empty($_POST['user']) || empty($_POST['pass'])){
    echo "You have to fill out the user name and password!";
    exit;
  } //check for empty user name or password
  $is_logged = false; //this is part of the process to see if they have a correct password or not, set to false right here to say no right pass... (will change later)
  foreach($logins as $login){
    $user = $_POST;
    if(($user["user"] == $login["user"]) && ($user["pass"] == $login["pass"])) {
      $is_logged = true;
      $_SESSION["loggged_in"] = TRUE; //now, if they do have a correct password, set the session to true, and the variable.
      header("Location: ".$login["redirect"]);
    }
  }
  if(!$is_logged){ echo "Username/password did not match, try again!"; } //if none of the $logins arrays matched the input, give an error
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
Username:<br />
<input type="text" name="user" /><br />
Password:<br />
<input type="password" name="pass" /><br />
<input type="submit" name="submit" value="Log in!" />
</form>

And then protect.php:

PHP Code:

<?php
session_start();
  if((!isset($_SESSION["logged_in"])) && !$_SESSION["logged_in"]){
    header("Location: login.php");
  } //check to see if logged in, otherwise go to the login
?>

Include protect.php every time theres a protected page.

[Schmoopy]

PHP Code:

if(isset($_POST['submit'])){
  if(!empty($_POST['user']) || !empty($_POST['pass'])){
    echo "You have to fill out the user name and password!";
    exit;
  } 


Don't you mean:

if (empty($_POST['user'] || empty($_POST['pass'])) ?

if !empty would mean if you fill in a value it will tell you to enter a username and password

[Nile]

Yes, I did fix that... Right before you posted. Thanks though!

[Schmoopy]

Hehe, should have left a bit more time between you posting it and me replying

[Nile]

Haha... 5 minutes is enough.

(commented the code)

[lrickyutah]

Where do I put the protect.php? Sorry, I'm a php newbie. My form redirects to an html page.

[Nile]

Everywhere you have a protected page, you should put this code at the top of it(it has to be a .php):

PHP Code:

<?php
include("../protect.php");
?>

Just put protect.php in the root directory.

Version 2.

What have I done?
Protect page now works - credits to master_script_maker for helping me fix this
Made something that makes the user aware they're logged in
Made the session hold an array, one with the page they're supposed to go to, and one saying their logged in.
Made a logout.

Login.php

PHP Code:

<?php
session_start();

if(isset($_GET["log_out"])){
  unset($_SESSION["logged_in"]);
  echo "You're logged out, and will be redirected in about 3 seconds";
  header('refresh: 3; url=login.php');
  exit;
}

$login = true;
require "protect.php";

$logins[0]["user"] = "a";
$logins[0]["pass"] = "b";
$logins[0]["redirect"] = "c.php";

$logins[1]["user"] = "x";
$logins[1]["pass"] = "y";
$logins[1]["redirect"] = "z.php";

// No need to edit below, except the errors

if(isset($_POST['submit'])){ //is the form submitted?
  if(empty($_POST['user']) || empty($_POST['pass'])){
    echo "You have to fill out the user name and password!";
    exit;
  } //check for empty user name or password
  $is_logged = false; //this is part of the process to see if they have a correct password or not, set to false right here to say no right pass... (will change later)
  foreach($logins as $login){
    $user = $_POST;
    if(($user["user"] == $login["user"]) && ($user["pass"] == $login["pass"])) {
      $is_logged = true;
      $_SESSION["logged_in"] = array($login["redirect"], true); //now, if they do have a correct password, set the session to true, and the variable.
      header("Location: ".$login["redirect"]);
    }
  }
  if(!$is_logged){ echo "Username/password did not match, try again!"; } //if none of the $logins arrays matched the input, give an error
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
Username:<br />
<input type="text" name="user" /><br />
Password:<br />
<input type="password" name="pass" /><br />
<input type="submit" name="submit" value="Log in!" />
</form>

protect.php - credits to master_script_maker for helping me fix this

PHP Code:

<?php
session_start();
  if((!isset($_SESSION["logged_in"])) || !$_SESSION["logged_in"][1]){
    if(!isset($login)){
      header("Location: login.php"); //check to see if logged in, otherwise go to the login
    }
  } else if (isset($login) || isset($index)){
    echo "Your already logged in!! <a href='login.php?log_out'>Click here</a>, to logout. Or, go back to your <a href='{$_SESSION['logged_in'][0]}'>page</a>.";
    exit;
  }
?>

index.php

PHP Code:

<?php
$index = true;
require "protect.php";

?>