html - Proper php login authorization -


i editing old page , needed authorized access page. right code in php , have set 1 username , 1 password can bypass sign in screen , if authorization successful, login redirects me "secret" page.

but, if knows url "secret" page" (for example ..../secrets/secret1.php), can bypass login screen. best solution in case?

i tried hiding php extension editing .htaccess, didn't work. don't want hide address bar entirely.

in login page can set session of current user grant access pages needs authorization.

for example if have log-in page like:

<?php /* log-in */   // declare username , password  $my_username = "admin";  $my_password = "rootstemleaves";   // declare page redirect  $secret_page = "../secrets/secrets1.php";   // set initial value  $proceed = 0;   // check if username empty   if(empty($_post['username'])){    // tell user username empty   echo "you need put username!";   // set not proceed   $proceed = 0;   } else {    // set proceed    $proceed = 1;   }   // check if empty password  if(empty($_post['password'])){    // tell user password empty   echo "you need put password";   // set not proceed   $proceed = 0;   } else {    // set proceed   $proceed = 1;   }   // proceed if checked ok  if($proceed == 1){    // check if username not same   if($username !== $my_username){     // tell user entered wrong username    echo "wrong username!";    } else {      // check if password not same     if($password !== $my_password){        // tell user entered wrong password       echo "wrong password";      } else {        // redirect page       header("login: $secret_page");      }    }   }  ?>  <!doctype html> <html>  <h1>log-in</h1>   <form method='post'>    <input type='text' name='username' placeholder='username'><br>   <input type='password' name='password' placeholder='password'><br>   <br>   <button type='submit'>submit</button>   </form>  </html>

you can add session_start(); begin session , set user logged in can access secret pages if authorized.

so log-in page should more this:

<?php /* log-in new!!! */   // important tell php start session @ beginning of file  session_start();   // declare username , password  $my_username = "admin";  $my_password = "rootstemleaves";   // declare page redirect  $secret_page = "../secrets/secrets1.php";   // check if user logged in or not.  if(!empty($_session['logged_in'])){     // redirect page    header("location: $secret_page");   }   // set initial value  $proceed = 0;   // check if username empty   if(empty($_post['username'])){    // tell user username empty   echo "you need put username!";   // set not proceed   $proceed = 0;   } else {    // set proceed    $proceed = 1;   }   // check if empty password  if(empty($_post['password'])){    // tell user password empty   echo "you need put password";   // set not proceed   $proceed = 0;   } else {    // set proceed   $proceed = 1;   }   // proceed if checked ok  if($proceed == 1){    // check if username not same   if($username !== $my_username){     // tell user entered wrong username    echo "wrong username!";    } else {      // check if password not same     if($password !== $my_password){        // tell user entered wrong password       echo "wrong password";      } else {        // set session !!!       $_session['logged_in'] = true;        // redirect page       header("login: $secret_page");      }    }   }  ?>  <!doctype html> <html>  <h1>log-in</h1>   <form method='post'>    <input type='text' name='username' placeholder='username'><br>   <input type='password' name='password' placeholder='password'><br>   <br>   <button type='submit'>submit</button>   </form>  </html>

look @ end of logic going redirect user, set $_session['logged_in'] = true; because use check later in pages need authorization.

so in secret page need add top if user logged in:

<?php /* secret page */  // start session (important!) session_start();  // login page $login_page = "login.php";  // check if user logged in if($_session['logged_in'] !== true){   // redirect login page prevent unauthorized access  header("location: $login_page");  } ?>

also if need logout user, make logout.php code:

<?php /* log-out */  // start session (important!) session_start();  // login page $login_page = "login.php";  // destroy session! session_destory();  // finally, redirect user log-in page in case wanted log-in again header("location: $login_page");  ?>

so in hidden page add <a href="logout.php">logout</a> log-out.

make sure though in future use database store log-in credentials , hash , salt password (never store password in plain text ever!)

hope helps


Comments

Post a Comment

Popular posts from this blog

routing - AngularJS State management ->load multiple states in one page -

Image
i developing site in angularjs ui-router. have situation on button click need change , load 3 state page , 3 looks image .please me how can load multiple pages. in 1 page you need configure router config this: $stateprovider .state("state1", { url: "/url1", controller: "firstcontroller", views: { view1: { templateurl: "templates/template1.html" }, view2: { templateurl: "templates/template2.html" }, view3: { templateurl: "templates/template3.html" } } }).state("state2", { url: "/url2", controller: "secondcontroller", views: { view1: { templateurl: "templates/template4.html" }, view2: { templateurl: "templates/template5.html" }, view3: { templateurl: "templates/template6.html" } }).state("state3", { ...
Read more

python - GRASS parser() error -

i'm trying use grass on python 2.7, i'm having problems @ setting script on idle, i'm getting error @ parser() function: here script: import os import sys gisbase = os.environ['gisbase'] = 'c:\program files (x86)\grass gis 7.0.1rc1' gisrc = 'c:\grassdata' gisdbase = 'c:\grassdata' location = 'newlocation' mapset = 'tc' ld_library_path = 'c:\program files (x86)\grass gis 7.0.1rc1\lib' path = 'c:\program files (x86)\grass gis 7.0.1rc1\etc';'c:\program files (x86)\grass gis 7.0.1rc1\etc\python';'c:\program files (x86)\grass gis 7.0.1rc1\lib';'c:\program files (x86)\grass gis 7.0.1rc1\bin';'c:\python27';'c:\program files (x86)\grass gis 7.0.1rc1\python27';'c:\program files (x86)\grass gis 7.0.1rc1\msys' pythonlib = 'c:\python27' pythonpath = 'c:\program files (x86)\grass gis 7.0.1rc1\etc\python' sys.path.append(os.path.join(os.environ['...
Read more

post - imageshack API cURL -

i credentials correct. when send image through form this:(action="http://api.imageshack.com/v2/images/"). working fine when tried send $ch = curl_init($url); failed. code: enter code here <form action="" method="post" enctype="multipart/form-data"> select image upload: <input type="file" name="file" id="file" multiple> <input type="text" name="auth_token" id="auth_token" value="xxxxxxxxxxxxxxxx"> <input type="text" name="api_key" id="api_key" value="xxxxxxxxxxxxxxx"> <input type="submit" value="upload image" > </form> $url = ' http://api.imageshack.com/v2/images/ '; $temp = $_files["file"]['tmp_name']; echo $temp."<br>" ; $ch = curl_init($url); curl_setopt($ch, curlopt_post, true); curl...
Read more