ansaurus

Question

php sessions to authenticate user on login form

Answer 1

+1 A:

First, don't store the password in the session. It's a bad thing. Second, don't store the username in the session until after you have authenticated.

Try the following:

<?php

session_start();

if (isset($_POST['username']) && isset($_POST['password'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $authed = auth($username, $password);

    if (! $authed) {
        header('Location: http://website.com/fail.php');
    } else {
        $_SESSION['username'] = $username;
    }
}

if (isset($_SESSION['username'])) {
    $navbar = 1;
    $logindisplay = 0;
} else {
    header ('Location: http://website.com/fail.php');
}

hobodave 2009-08-07 06:17:40

im not, tell me how and i will

Patrick 2009-08-07 06:23:27

Well if you have to pass the username/password to a 3rd party API, then I guess you don't want to escape it. I'd leave that to them.

hobodave 2009-08-07 06:27:38

Answer 2

A:

Just some random points, even though they may not actually pertain to the problem:

Don't store the password in plaintext in the session. Only evaluate if the password is okay, then store loggedIn = true or something like that in the session.
Check if the password and the username are $_POSTed, not || (or).
Don't pass password and username back and forth between $password and $_SESSION['password']. Decide on one place to keep the data and leave it there.
Did you check if you can store anything at all in the session? Cookies okay etc...?

To greatly simplify your code, isn't this all you need to do?

if (isset($_POST['username'] && isset($_POST['password'])) {
    if (auth($_POST['username'], $_POST['password'])) {
        $_SESSION['user'] = /* userid or name or token or something */;
        header(/* to next page */);
    } else {
        // display "User credentials incorrect", stay on login form
    }
} else {
    // optionally: display "please fill out all fields"
}

deceze 2009-08-07 06:18:31

The password is only used for accessing a 3rd party API through the site. The auth basically uses the 3rd parties site for authentication, therefore i have to pass the password off to the api (in plain text). Any alternative suggestions will be greatly appreciated though, im obviously new at this.

Patrick 2009-08-07 06:26:01

Okay, that depends on your specifics, unless you clarify those it's hard to suggest anything. Still, do you have to store it in the session? I'm guessing `authed()` does the 3rd party check? Do you have to do that more than once?

deceze 2009-08-07 06:33:05

^^ Should be *`auth()`*.

deceze 2009-08-07 06:34:54

i do need to authorize more than once, just a couple of times, enough to upset the flow of the site if user has to keep re-entering info

Patrick 2009-08-07 06:42:18

Answer 3

A:

The solution to my specific problem above

session_start();
if(isset($_POST['username']) || isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
}

if(isset($_SESSION['username']) || isset($_SESSION['password'])){
$navbar = "1";
$logindisplay = "0";
$username = $_SESSION['username'];
$password = $_SESSION['password'];
$authed = auth($username, $password);
if( $authed == "0" ){
header('Location:http://website.com/fail.php');
}
} else {
header('Location:http://website.com/fail.php');
}

Patrick 2009-08-07 06:27:16

Answer 4

+1 A:

Here are a few other things, which may or may not help you, by the way :

Do you have error_reporting on ? (see also)
Do you have display_errors on ?
Is session_start the first thing you are doing in your page ? There must be nothing output before
Are the cookies created on the client-side ?
header Location indicates the browser it has to go to another page ; it doesn't stop the execution of the PHP script. You might want to (almost always anyway) add "exit" after it.

Pascal MARTIN 2009-08-07 06:30:19

good point on the sessions coming first, didnt know that, thanks

Patrick 2009-08-07 06:41:21

You're welcome :-) Actually, it's a bit more complicated than that : session_start sends cookies ; cookies are sent as HTTP headers ; HTTP headers can only be sent when no output has been sent ; so, session_start should be used before any output is generated. (there's an exception, if you are using output_buffering ; but you can't rely on it)

Pascal MARTIN 2009-08-07 06:50:29

thats really good information to know actually, never would have thought. So sessions are basically server managed cookies?

Patrick 2009-08-07 07:01:27

Not really : "you" (well, PHP) must keep a link between a user and the session file on the disk ; as every request in HTTP is independant of the others, it's generally done with a cookie that store the session's identifier. And when PHP receives that cookie, it knows which session correspond to the user.

Pascal MARTIN 2009-08-07 07:08:27

Answer 5

A:

Headers are not function calls. They put a directive into the HTTP headers, and the last one to execute is the one which will be processed. So let say if you have something like this

if ($bAuthed)
{
     header("location: login.php");
}

// error case
header("location: error-login.php");

You will always be redirected to error-login.php no matter what happens. Headers are not function calls!

Extrakun 2009-08-07 07:15:03

Answer 6

+1 A:

what about using this to setup session

session_start();
if(isset($_POST['username']) && isset($_POST['password'])
{
    if(auth($_POST['username'], $_POST['password']))
    {
        // auth okay, setup session
        $_SESSION['user'] = $_POST['username'];
        // redirect to required page
        header("Location: index.php");
     } else {
        // didn't auth go back to loginform
        header("Location: loginform.html");
     }
 } else {
     // username and password not given so go back to login
     header("Location: loginform.html");
 }

and at the top of each "secure" page use

session_start();
session_regenerate_id();
if(!isset($_SESSION['user']) // if there is no valid session
{
    header("Location: loginform.html");
}

this keeps a very small amount of code at the top of each page instead of running the full auth at the top of every page. To logout of the session:

session_start();
unset($_SESSION['user']);
session_destroy();
header("Location: loginform.html");

Tim 2009-08-07 10:47:27

ansaurus

tags:

views:

answers:

php sessions to authenticate user on login form

related questions