Menu
I have begun developing this very simple PHP login that asks for a password to allow access to a website. It also creates a cookie to allow continued access until the user closes their browser window.
At the top of each page I check for the cookie:
<?php
if(!isset($_COOKIE['authorised']) || ($_COOKIE['authorised'] != 'true'))
{
include('login.php'); exit;
}
?>
If they don't then I exit and show a login form:
<?php
function pageURL()
{
$pageURL = 'http';
if ($_SERVER["HTTPS"] == "on")
{
$pageURL .= "s";
}
$pageURL .= "://";
if ($_SERVER["SERVER_PORT"] != "80")
{
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
}
else
{
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
}
return $pageURL;
}
$pageRedirect = pageURL();
if(isset($_POST['password']) && ($_POST['password'] == 'qwe123'))
{
setcookie('authorised', 'true'); header("Location:$pageRedirect",303);
}
else
{
include('noaccess.php'); exit;
}
?>
<form action="<?php echo pageURL(); ?>" method="post">
<input type="password" name="password" />
<input type="submit" title="I agree" value="I agree" name="submit" />
</form>
The current PHP is from an old Warning page when you had to agree to access the site, I want to modify it to work with a simple form so that if the user types a password say for example 'qwe123' then they create the cookie and then are redirected back to the page but now have access because of the cookie. If they get it wrong then another page is included and exited.
Can someone help me with this? Thanks
960
Please don't try to store things like "authenticated" in a client side cookie; that's incredibly insecure. A user can modify anything in a cookie - so in this case, I could look up the cookie in my browser settings and then edit it to set "authenticated" to true. I would then be logged in, without a username or password.
Have a look at PHP's session management functions. You should create a session and store any secure information server side, not client side.
An example using sessions would be the following;
<?php
session_start();
$secretpassword = 'qwert1234';
$secretusername = 'foobar';
if ($_SESSION['authenticated'] == true) {
// Go somewhere secure
header('Location: secure.php');
} else {
$error = null;
if (!empty($_POST)) {
$username = empty($_POST['username']) ? null : $_POST['username'];
$password = empty($_POST['password']) ? null : $_POST['password'];
if ($username == $secretusername && $password == $secretpassword) {
$_SESSION['authenticated'] = true;
// Redirect to your secure location
header('Location: secure.php');
return;
} else {
$error = 'Incorrect username or password';
}
}
// Create a login form or something
echo $error;
?>
<form action="login.php"><input type="text" name="username" /><input type="text" name="password" /><input type="submit" value="login" /></form>
<?php
}
It's a pretty ugly example, but this covers the meat of it
You run session_start() before sending any other output; this stores a session cookie on the client side, which only stores an identification number on the client side. All other data is stored on the server side, so it cannot be modified by the user.
There are several parameters that you can set on this to improve security, including httponly (prevents the cookie from being accessed via javascript, helps against XSS attacks) and secure (only transfer the cookie over SSL). These should be enabled if possible.
91
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
