Simple php password protect

General PHP Help
#1

Hi,

first post and first toe in the water with PHP.

I’m testing a simple password protection webpage. I have two files in the public folder - one the password script (http://www.provision-cctv.com/passtest.php) the other the file i want to protect.

The passtest file has the following:-

<?php session_start() ?> Untitled Document <?php if (array_key_exists('ewTest' , $_POST)) { $username = trim($_POST['username']); $_SESSION['username'] = $username; $password = trim($_POST['password']); $_SESSION['password'] = $password; if (($username == "Pink") && ($password == "Elephant")) { $response = "You're welcome! Enter Here"; } else { $response = "Sorry, you do not have permission to access this webpage!"; } } ?> #wrapper { width: 250px; padding: 20px; margin: 20px auto; background-color:#CCC; font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; } #wrapper p { margin: 0 0 0 0; padding: 0; text-align: center; } input { width: 250px; } input#submit { width: 100px; margin: 15px 0 0 0; }

Please enter your Username & Password below. (Case sensitive)

Username

Password

<?php if(isset($response)) echo $response;?>

The file I’m trying to protect is (http://www.provision-cctv.com/CFS2 and the first lines of code on this page start:-

<?php session_start() ?> <?php if (!isset($_SESSION['username']) && !isset($_SESSION['password'])) { header("Location: http://www.provision-cctv.com/passtest.php"); } if (isset($_SESSION['username'])) { unset($_SESSION['username']); session_destroy(); } if (isset($_SESSION['password'])) { unset($_SESSION['password']); session_destroy(); } ?>

So in theory I guess that if someone tries to open the CFS2 file the log-in/password box should open it first - but there is no security - you go straight in!

If i open up the pass test file in a browser - enter the log-in and password then i can open the CFS2 file - but surly that’s not how it should work?

Am I losing the plot?

Many thanks.

Joe.

#2

You need to rejig your code a little as you should ONLY set the sessions if the user passes the validation test - not before as you do in your code.

Try this (note, i have not tested myself, just copied your code and moved it around)
[php]

<?php if (array_key_exists('ewTest' , $_POST)) { $username = trim($_POST['username']); $password = trim($_POST['password']); if (($username == "Pink") && ($password == "Elephant")) { $_SESSION['username'] = $username; $_SESSION['password'] = $password; $response = "You're welcome! Enter Here"; } else { $response = "Sorry, you do not have permission to access this webpage!"; } } ?>

[/php]

Then to ‘protect’ an area from users who are not logged in, you test for the session.

[php]

<?php if(isset($_SESSION['username'])) { // allow the user access. } ?>

[/php]

You get the idea?

Hope that helps,
Red :wink:

#3

Hi Red,

Many thanks for the quick and friendly reply!

I’ve think I’ve made the suggested mods so the passtest file now starts:-

<?php if (array_key_exists('ewTest' , $_POST)) { $username = trim($_POST['username']); $password = trim($_POST['password']); if (($username == "Pink") && ($password == "Elephant")) { $_SESSION['username'] = $username; $_SESSION['password'] = $password; $response = "You're welcome! Enter Here"; } else { $response = "Sorry, you do not have permission to access this webpage!"; } } ?>

And the page I’m trying to password protect starts:-

?php
if(isset($_SESSION[‘username’])) {
// allow the user access.
}
?>

<?php session_start() ?> <?php if (!isset($_SESSION['username']) && !isset($_SESSION['password'])) { header("Location: http://www.provision-cctv.com/passtest.php"); } if (isset($_SESSION['username'])) { unset($_SESSION['username']); session_destroy(); } if (isset($_SESSION['password'])) { unset($_SESSION['password']); session_destroy(); } ?>

However still no joy.

As I said it’s all a little new to me - am I on the right track?

Re the MySQL - at the moment I would like to walk before i run - but thanks for the offer.

Again many thanks.

Joe

#4

This needs to be at the top of all pages using sessions.
[php]<?php session_start() ?>[/php]

PHP that handles login form.
[php]<?php
if(array_key_exists(‘ewTest’ , $_POST)) {
$username = trim($_POST[‘username’]);
$password = trim($_POST[‘password’]);

if(($username == "Pink") && ($password == "Elephant")) {
	$_SESSION['username'] = $username;
	$_SESSION['password'] = $password;
	$response = "You're welcome! <a href='http://www.provision-cctv.com/CFS2'>Enter Here</a>";
}
else {
	$response = "Sorry, you do not have permission to access this webpage!";
}

}
?>
[/php]

Restricted access.
[php]<?php
if(isset($_SESSION[‘username’])) {
// PUT YOUR RESTRICTED CODE HERE LIKE SO:
echo ‘i am logged in!!’;
}
else {
// this user is not logged in
// either redirect them like so
//header(“Location: /login.html”);
// or show content like so:
echo ‘please login’;
}
?>
[/php]

Logout page:
[php]<?php
if (isset($_SESSION[‘username’])) {
unset($_SESSION[‘username’]);
unset($_SESSION[‘password’]);
session_destroy();
}
?>
[/php]

Note: This is the least secure login i have ever seen and won’t keep out anyone who has a clue…
You should look into better security before putting this script live on the internet.

With that said, i hope this helps you on your way,
Red :wink:

PS: When posting code, hit the PHP button in the editor to make your code readable like I have done.

Sponsor our Newsletter | Privacy Policy | Terms of Service