zzz+special+login

Note: logout page is at end of page

Login

We need to maintain state from one page to another within the staff area when a user logs in.

Ways to maintain state:
 * GET (append data to url)
 * POST (create hidden form fields)
 * COOKIE (create cookie with data and read from each new page)
 * SESSION (create a server-side session)

Creating a COOKIE This is not very secure though because the user can see his/her id by looking at the cookie and potentially do something malicious with this data. code $found_user = mysql_fetch_array($result_set); $_COOKIE['user_id'] = $found_user['id']; code

Creating a SESSION This is more secure. It will generate a really long string that gets saved to a cookie on the user's machine. The user won't be able to do much with this data.

First we must open a session and then we can set the session info equal to the user info. We want to do this at the top of the login page.

code  code

We also need to add this to the top of every staff page so we can create an include file.

When we set the session values, we should also include the username so we can personalize pages without having to make lots of trips to the database.

code // start session for user $_SESSION['user_id'] = $found_user['id']; // store the username too so we can personalize things without making a bunch of trips to the database $_SESSION['username'] = $found_user['username'];

code

Then on the staff page we can personalize the page.

code Staff Menu Welcome to the staff area, .  Manage Website Content Add Staff User Logout 

code

Finally, we need to add the rest of the scripting to every page in the staff area that will check to see if the user is authenticated (i.e. a session has been started and is running). If there is no session or authentic log in, then redirect the user to the login page.

session.php (in includes folder)

code <?php session_start;

// checks to see if a session is set // can be used to add additional functionality to public pages too function logged_in { return isset($_SESSION['user_id']); }

// calls logged_in function above and if not logged_in, then redirects to the login page // also note we are calling header in the redirect so make sure the call to this function is about our html markup on each page function confirm_logged_in { if (!logged_in) { redirect_to("login.php"); }   } ?> code

login.php

code <?php require_once("includes/session.php"); ?> <?php require_once("includes/connection.php"); ?> <?php require_once("includes/functions.php"); ?> <?php // check to see if logged in and if so send to staff page if (logged_in) { redirect_to("staff.php"); }

include_once("includes/form_functions.php");

// START FORM PROCESSING if (isset($_POST['submit'])) { // Form has been submitted. $errors = array;

// perform validations on the form data $required_fields = array('username', 'password'); $errors = array_merge($errors, check_required_fields($required_fields, $_POST));

$fields_with_lengths = array('username' => 30, 'password' => 30); $errors = array_merge($errors, check_max_field_lengths($fields_with_lengths, $_POST));

$username = trim(mysql_prep($_POST['username'])); $password = trim(mysql_prep($_POST['password'])); $hashed_password = sha1($password);

if ( empty($errors) ) { // Check database to see if username and the hashed password exist there. $query = "SELECT id, username "; $query .= "FROM tblusers "; $query .= "WHERE username = '{$username}' "; $query .= "AND hashed_password = '{$hashed_password}' "; $query .= "LIMIT 1"; $result_set = mysql_query($query); confirm_query($result_set); if (mysql_num_rows($result_set) == 1) { // username/password authenticated // and only 1 match $found_user = mysql_fetch_array($result_set); // could use $_COOKIE['user_id'] = $found_user['id']; but this is not very secure // start session for user $_SESSION['user_id'] = $found_user['id']; // store the username too so we can personalize things without making a bunch of trips to the database $_SESSION['username'] = $found_user['username'];

redirect_to("staff.php"); } else { // username/password combo was not found in the database $message = "Username/password combination incorrect.

Please make sure your caps lock key is off and try again.";           }        } else {            if (count($errors) == 1) {                $message = "There was 1 error in the form.";            } else {                $message = "There were " . count($errors) . " errors in the form.";            }        }

} else { // Form has not been submitted. if (isset($_GET['logout']) && $_GET['logout'] == 1) { $message = "You are now logged out."; }       $username = ""; $password = ""; } ?> <?php include("includes/header.php"); ?>

<a href="index.php">Return to public site</a> Staff Login <?php if (!empty($message)) {echo "<p class=\"message\">". $message. " ";} ?>           <?php if (!empty($errors)) { display_errors($errors); } ?> <form action="login.php" method="post">

<?php include("includes/footer.php"); ?>

code

staff.php

Include the session stuff and call confirm_logged_in function. Don't forget to include the functions page since the session file call the redirect function defined in functions.php.

code <?php require_once("includes/session.php"); ?> <?php require_once("includes/functions.php"); ?> <?php confirm_logged_in; ?> <?php include("includes/header.php"); ?>

Staff Menu Welcome to the staff area, <?php echo $_SESSION['username']; ?>.  <a href="content.php">Manage Website Content</a></li> <a href="new_user.php">Add Staff User</a></li> <a href="logout.php">Logout</a></li> </ul>

<?php include("includes/footer.php"); ?>

code

Now add the session include and and call confirm_logged_in function on all staff pages.

Note: currently we will not add this to the include files, which means these are wide open. There are ways to secure the includes folder on the server (such as having an htaccess file) when deployed. This is beyond the scope of this class but it is important to keep in mind.

You especially want to protect the constants.php file. This has your database username and password.

More info on Apache server security [] []

logout.php

code <?php require_once("includes/functions.php"); ?> <?php // Four steps to closing a session // (i.e. logging out)

// 1. Find the session session_start;

// 2. Unset all the session variables $_SESSION = array;

// 3. Destroy the session cookie if(isset($_COOKIE[session_name])) { setcookie(session_name, '', time-42000, '/'); }

// 4. Destroy the session session_destroy;

// can send logout=1, test for this on login page and give a you are now logged out message redirect_to("login.php?logout=1"); ?>

code

.