Kathlyn February 2016

PHP login script in a separated file

I have been developing the following php script (+ sqlite database) to create a login for my web.

Up to now I had used just one PHP file, but now I want to use different files for login and protected contents, I mean, I used to have all my web in one file php (contents and password script were together) but now I want to detach it in different php files (one for the login, login.php, and other phps protected: index.php, calendar.php...)

I used this code to password-protect php content:

<?php require_once "Login.php"; ?>

but it doesn't seem to work: it displays the form to login next to the content I wanted to protect.

This is the php script I'm using as login.php:

<?php

$db = new PDO('sqlite:data.db');
session_start();
if (isset($_GET['logout'])) {
    unset($_SESSION['pass']);
    header('location: index.php');
    exit();
}
if (isset($_SESSION['timeout'])) {
    if ($_SESSION['timeout'] + 4 < time()) {
        session_destroy();
    }
}

if (!empty($_POST['pass'])) {
    $result = $db->query("SELECT user,password FROM users");
    foreach ($result as $row) {
        if (password_verify($_POST['pass'], $row['password'])) {
            echo "Welcome! You're logged in " . $row['user'] . "!  <a href='index.php?logout=true'>logout</a>";
            $_SESSION['pass']    = $_POST['pass'];
            $_SESSION['timeout'] = time();
        }
    }
}

if (empty($_SESSION['pass'])) {
    echo '<form method="POST" action=""><input type="password" name="pass"><form>';
}

?>

MY QUESTION IS: How can I use my php script to protect different files?Is there any way to embed a logout link too?

Answers


Jay Blanchard February 2016

One way is to store a token in session variables when a user logs in. Confirm the token is there on each page, if it isn't redirect the user to the login page. For example assert_login.php:

<?php
session_start(); 

if('' == $_SESSION['token']) {
    header("Location: login.php");
    exit();
}
?>

Then, in the PHP at the top of each of your pages:

<?php
require('assert_login.php');
?>

You can also clear the session variable on logout, logout.php for example:

<?php
require('assert_login.php'); // has session_start() already

$_SESSION['token'] = ''; // empty the token
unset($_SESSION['token']); // belt and suspenders
header("Location: login.php");
exit();
?>


Davinder February 2016

I was also going through same issue & the way I solved it:

PSEUDO CODE:

PHP SESSION START

if(isset(GET(logout){
  SetLogout();
  die()}

$redirect=false
   if not session[auth] exists
       if SERVER REQUEST METHOD IS POST
           $redirect=true;
           if POST(username) && POST(pass) exists
           Sanitize both of them & assign to $user& $pass
           if user == "John" && $pass == "secret"
               Go To SetLogin();
           else{
               Go To SetLogout();
               echo "Wrong Username or Password"
               drawlogin();
               die();}
           } //user pass comparing ends
        } //Server method is NOT POST, so maybe it is GET.
          //Do nothing, let the control pass to next lines.
   }//SESSION(auth) does not exists, so ask user to login
   else {
       drawlogin();
   }

 //Post-Redirect-Get
 if ($redirect)
      redirect header to this same page, with 301
      die()

// Secret Content here.


function SetLogin($user){
    $SESSION(auth) = TRUE;}

function SetLogout($user){
    if SESSION(auth) exists
        unset($SESSION(auth))
        redirect back with 301, without query string //shake ?logout
}

function drawlogin(){
     echo all the HTML for Login Form

What it does is, it checks various things/variables, and if all passes, the control passes to Secret Content.

Save it as pw.php, & include it on top of any file you want to protect. Logout can be triggered by <a href="?logout">Logout</a>

Note that this is just a pseudo code, typed on a tablet. I will try to update it with actual version. It is not checked for errors. Use all standard PHP Security precautions..

Post Status

Asked in February 2016
Viewed 1,653 times
Voted 5
Answered 2 times

Search




Leave an answer