php password protected website

Question

I'm new to web programing and im trying to find a few good examples / tutorials on how to do a decent job of creating a website that requires users to log on to view any pages beyond the main log in page.

so far i've found 1 or 2 that ive tried but i keep running into the same problem. If i just enter the url of the page i want to see manually i can get in like there was nothing there.

Answer 1

Okay, I'll explain how the basic concept goes and a very simple implementation to get things going.

PHP (and most web applications) rely on RESTful services -- which, to our concern at the moment, means every request is not remotely bound to any other request being made - either that being by the same user or others.

So what does that mean?

This means that for every single request, you need to do your checks. You need to make sure if the user has permissions to execute that page, or less severely even see its contents.

How is this achieved?

By many ways, actually. There are lots of techniques used to enforce authorization on web applications but they would essentially both break down to one of two -- either centralized, or decentralized.

-- Centralized

This means all your actions (and controllers) are being handled through a single file. Say index.php. This file would then include or delegate its tasks to other files (that are not runnable on their own via normal requests) based on request parameters. This is a very popular approach, but not exactly straight forward for new developers. Examples of applications that use this approach would have URLS of the type: index.php?do=register, index.php?do=login, index.php?do=showtopic&topic_id=2, and so forth.

A simple implementation of this technique would go like:

<?php
// index.php
define('RUNNING_APP', true);
// 1. place your auth code here, or...
switch ($_REQUEST['do']) {
    case 'register':
        // 2. or here
        include 'inc/register.php';
        break;

    case 'do_register':
        // 2. and here, and before every include.. and so forth.
        include 'inc/do_register.php';
        break;
}
?>

<?php
// inc/register.php
defined('RUNNING_APP') or die('Cannot access this script directly'); // make sure to break direct access
?>
<form action="index.php?do=do_register">
<!-- form elements -->
</form>

and so forth.

I've documented where the usual auth code should go.

-- Decentralized

Using this approach, however, your auth code should go at the beginning of every single file. URLS of applications of this sort usually look something like: register.php, login.php, and so forth. The main problem here is that you need to perform all auth logic per file, as stated above, and that may be a hectic job if your files increase in amount. A convenient solution is to have that logic in a single file, and include that file (which would kill the request for unauth personel) before any of your logic. A simple example would be:

<?php
// index.php
include('inc/auth.php');
// index logic
?>

<?php
// register.php
include 'inc/auth.php';
// register logic
?>

<?php
// inc/auth.php
$logged_in = false;
if (!$logged_in) {
    die ('You do not have permission to access this page. Please login');
}
?>

Answer 2

When logging in using a form, you should check the username and password in the database. The password should be scrambled (usually done using the MD5 hash algorithm), and stored in the database in the same way. You capture the variables, using something like (use some validation to check if the POST variables are valid):

$username = $_POST['username'];
$passwordHash = md5( $_POST['password'] );

The username and hashed password should be stored in your database. You can then check for a match in the database using:

$res = mysql_query("SELECT * FROM users WHERE username='".$username."' && password='".$password."'");

When a user is found, you use sessions to store the user values, which will allow you to get access to a users information across pages. NOTE: session_start() is usually placed at the top of the page, but I'll place it here for readability.

if ( mysql_num_rows($res) ) {
  session_start();
  session_regenerate_id(); // regenerate session_id to help prevent session hijacking
  $row = mysql_fetch_assoc($res);
  $_SESSION['logged_on'] = true;
  $_SESSION['username'] = $row['username'];
  // add more session variables about the user as needed
}

On every page you want to protect, you add the following to the top of those pages:

session_start();
if ( !isset($_SESSION['logged_on']) ) {
  header("Location: login.php"); // user is not logged in, redirect to login page
  exit;
}
// page content here