login page

[mtran]

Hi,
I'm new to PHP, and learning some tutorial to create a login feature which includes 4 pages:
1/ login --> this is a form <form action="login_check.php" method="post">
2/ config.php --> with info of host, username, password, connect to mysql
3/ login_check.php --> to process the form:

Code:

<?php
session_start();
include 'config_pc.php';
$username=$_POST["username"];
$password=$_POST["password"];
if(!empty($username)&&!empty($password)){
$query="SELECT*FROM member WHERE username='$username' and password='$password'";
$result=mysql_query($query,$connection) or die("Can't execute!");
$count=mysql_num_rows($result); 
if($count==1){
$_SESSION['user_logged']=$username;
$_SESSION['user_password']=$password;
Header('Location:member.php');
} else {
echo "You've entered wrong username/password. Please enter again!";}
} else {
echo "You forgot to enter something!";}
?>

4/ member.php--> after successful login

what should I put in the member.php so that it can only accessed after logging in. Right now if e.g. I type http://localhost/member.php, I can go directly to the member.php page. I know it has something to do with SESSION but don't know how.

Also, right now it seems that my username and password fields are not casesensitive, how to make them become case sensitive?

Thanks!!!!!!

[djr33]

well.... what's the point in logging in? ..so you have your're signed in.
As such, the member.php page must CHECK that they are logged in. It'll be basicaly the same code as the login page, but will just verify their session password/username, instead of logging them in with it. Make sense?

As for case sensitivity... usernames shouldn't be case sensitive. some people like "Daniel" others like "daniel".... let them pick. You can use stringtolower($var) (*I think that's the function*) make it lowercase for checking purposes.
As for the password, it should be case sensitive... not sure why it wouldn't be.

[mtran]

Thank you for your fast response.
For the member.php page--only member can see, I add this at the very beginning:

Code:

<?php
session_start();
if(!session_is_registered($username)){
header("location:login.php");
}
?>

What I want is if user hasn't signed in yet, they'll be redirected to the login.php page even if they type in e.g. http://localhost/member.php.
But somehow it didn't work.
Even when I type in the correct username and password, I'm still in the login.php page -- which seems like has been refreshed -- all the text I entered has been erased.

Did I do sth wrong? Thanks!

[djr33]

hmm.... I dunno about the session_is_registered function.

That's also not secure, really, 'cause all they need is a username.

Here's what I'd do:

they log in.
their password and username are stored as session vars, or cookie vars, whatever.
at the top of the member page and anything else that requires login, have this code:
(***assume that $pass and $user are from the session/cookie vars... get those how you want)

PHP Code:

<?php
$query = "SELECT [*password*] FROM [*table*] WHERE [*username*]=$user";
$result= mysql_assoc(mysql_query($query));
if ($result['password'] != $pass) {
die("REDIRECT HERE");
}
//THEN PUT THE REST OF YOUR STUFF HERE, and it'll only be accessible
//if their stored pass = the pass they logged in with.
//The die("") function will end execution of the page, sending no data after it;
//they won't get the stuff after the login check,
//even for a split second before they're redirected.
?>

In short, just have it check at the top of the page whether for password in the database for the username is equal to the password they have in their cookie/sessionvar from logging in.



Random note: if you want to not store the person's actual password, you could use md5() to encrypt it.
Basically, it takes a string, and outputs a 32 character string that will be the same for the same input, but is irreversible...
if your password is "abc" then md5("abc") will always be the same, but you can't ever figure out what the password is from the stored md5 value.
it feels more moral in some ways.
Also, all you have to do then is, when the log in, have it check if the md5 of their password equals the stored md5 value for their password; if they are equal, then the passwords are also equal, but its more secure for people.
this is unrelated and not neccessary, but nice to know.

[Twey]

As for case sensitivity... usernames shouldn't be case sensitive. some people like "Daniel" others like "daniel".... let them pick. You can use stringtolower($var) (*I think that's the function*) make it lowercase for checking purposes.

Rubbish; usernames are always case-sensitive. The function is strtolower().

header("location:login.php");

HTTP Location: headers should always have an absolute URI value.

[djr33]

For my forum, they aren't case sensitive. If you're talking about ftp or a secure area, then that would make sense. But as for stuff like forums, etc, I suggest not making them case sensitive.
Afterall, it would be very confusing if "daniel" and "Daniel" were two different members.
Thanks on the string.
And, yes, if security is the number one concern, make them case sensitive.

[Twey]

as for stuff like forums, etc, I suggest not making them case sensitive.

I don't think I've ever come across a case-insensitive username.

Afterall, it would be very confusing if "daniel" and "Daniel" were two different members.

To check that the handle isn't registered, that's fine; but when logging in... I don't know why, it just isn't done.

[djr33]

I don't think I've ever come across a case-insensitive username.

Try logging in on any IPB board. (http://thebrbforums.com is mine)

True on the second thing, but, still, why not make it work for what they want.
For my forum, the username is stored in lowercase, then they get to type their name how they like it as they log in... kinda like AIM.
Where if you login as "Daniel" your posts are "Daniel", but "daniel"..."daniel", yet its tied either way to the "daniel" account in the database. Kinda confusing, but makes sense for being user-friendly.


EDIT: Haha! Log out, Twey, log in with CAPS. It works. Here, I mean.

[Twey]

Hm, s&#244; shimasu. Funny I never noticed that.

[djr33]

Ha, yeah. I'm amused.

You're right about security.

I think forums do it like that so people don't get confused whether they capitalized or not.

For more secure things, it does get confusing