Password protected pages / simple admin login with PHP

[spacepoet]

Hello everyone:

 

I wanted to see how I can make a simple login page (user name and password) that redirects to a page(s) if the login is correct. Also, I wanted to put protection on the page(s) that will send the user back to the login page if the credentials are nor correct.

 

I would imagine the username/password would be stored in a database table (Admins), and the correct login info would be stored in a session ..?

 

I am use to doing this with ASP, but never PHP. I want to make sure I understand how to do this properly and securely so I can use this as a model for other systems.

 

In ASP I would do a protected page like this:

a_login_check.asp

<%
if session("admin_user_name") = "" then
session.abandon
response.redirect "login.asp"
end if
%>

 

Protected-Page.asp

<!-- #include file="include/a_check_login.asp" -->
<html>
...
CONTENT

...
</html>

 

And of course there is the login page itself ...

(I thought it would be nice to add a "Forgot Password" link on the login page, but if that is too complicated I can do that later .. or is it easy ??)

 

Anyway, can someone point-out to me how to do this.

 

I would appreciate it!

 

[ChemicalBliss]

This may seem like a cheap-shot but have you tried google?

 

I would say these forums are for people who are stuck with a specific problem/logic in their code.

There are plenty of beginner tutorials with plentiful information on security and usability around the web regarding authentication.

 

You will need to know a few basics and important vulnerabilities of PHP in order to make a production-level authentication system (one the public will use);

Try some tutorials from here, phpfreaks:

http://www.phpfreaks.com/tutorial/php-basic-database-handling

http://www.phpfreaks.com/tutorial/php-security

 

Then do a google for the actual authentication tutorial, there are hundreds, find one that looks right for your project.

http://www.google.co.uk/search?q=php+authentication+tutorial

 

hope this helps

[colleyboy]

Hi,

 

Obviously presuming you know some php.

 

You would need to consist a few pages.

 

dbconnect.php

login.html

checklogin.php

 

the dbconnect.php would obviously have all the database details and connection details.

the login.html would be a html form username and password which points towards the checklogin.php

 

the checklogin.php would have coding that would check the username and password against the database and if username and password is ok is starts the session and forwards to the index.php which is the admin area.

 

index.php and all pages you want to password protect would have coding at the top checking if the session is started and if it is then lets the page load and if not it will redirect to login.html.

 

Fairly simple.

Ian

[spacepoet]

Hi:

 

Yes, I have a myConn.php (database connection), database set-up with a small CMS (am going to post about this for another issue), etc.

 

I just want to know the code I use is proper - sometimes GOOGLE has good code, sometimes bad.

 

I will look into it and see what happens.

[spangle1187]

I was working on a similar pfoject getting users to sign up and sign a quick verification to the db and then some session data created and so forth. I followed a tutorial on The New Boston, its under php tutorials andhe is creating a game that requires a login procedure. It may well be worth a look.

[ChemicalBliss]

Just to let you know, the PHP equivalents of the ASP code you posted is as follows:

 

a_login_check.PHP

<?php
if (!isset($_SESSION["admin_user_name"])){
Header("location: login.php");
}
?>

 

Protected-Page.PHP

<?php include("include/a_check_login.PHP"); ?>
<html>
...
CONTENT

...
</html>

 

There are many "best-practices" to follow but i would reccomend reading over a couple "PHP Security" guides/tutorials .

 

hope this helps.