Tutorial
Click on thumbnailed images to enlarge
<h4>SUMMARY</h4>
This basic login system uses the start_session() function. How does it work? It fetches two user-defined values (username and password) separated in a "settings / configuration file" and compares them with entered username and password values from the logon interface (the login form). If all values match each other; voila, valid logon. If login fails, the intruder (or "password-forgetter") will be asked to enter the required username and password until he gives up. Pretty neat, no?
First design your logon form. Three basic elements are the username and password fields, and the submit button (doh). Wait, you don't want sneaking eyes to look at your password! Simple, just follow the codes below (and give it some simple styling) in a new file and name it logon.php.
<pre>
<form name="logon_form" action="validate.php" method="post">
<input name="raw_username type="text" value="username" />
<input type="raw_password" value="password" />
<input type="submit" value="logon" />
</form>
</pre>
Neat, you have a logon form; a text input, a password input, and a submit input. Eventhough name for the <form> tag does not play any role, it's a good habit to give names to your elements, imagine your folks didn't give a name to you. What would each person in the world calls you??? The action value points to where the validation file is located. The validation file is the mothership to the logon system; it validates all transacted values and gives the greenlight if she feels the values match her preferences. The method value tells the browser to keep all logon data and not display them in the URL / address box. If you want to see it 'tho, change post to get.
Next, don't forget the "settings file". Create a new file and name it mothership.php. In this mothership contains...
<pre>
<?php
// the username
$valid_username = "janis.joplin";
// the password
$valid_password = "hippy";
?>
</pre>
Finally the real validating job begins! Create a new file named validate.php.
<pre>
<?php
session_start();
require("mothership.php");
$rawusername = $_REQUEST["raw_username"];
$rawpassword = $_REQUEST["raw_password"];
$_SESSION["session_username"] = $rawusername;
$_SESSION["session_password"] = $rawpassword;
if($valid_username = $_SESSION["session_username"] &&
$valid_password = $_SESSION["session_password"]){
$_SESSION["session_username"] = $valid_username;
$_SESSION["session_password"] = $valid_password;
header("Location: valid_page.php");
}else{
header("Location: logon.php");
}
?>
</pre>
Now I shall explain what each line in validate.php does. But remember, this tutorial is just for the initial security step. Read on...
Whenever you use $_SESSION you must first put session_start() on top. Then you include mothership.php to load all values required for the validation process.
Then you must set variables for each submitted input values. There are two; the username and password fields.
<pre>
$rawusername = $_REQUEST["raw_username"];
$rawpassword = $_REQUEST["raw_password"];
</pre>
Next you set "floating variables" using $_SESSION. I use the word floating because when you use $_SESSION["variable_name"] it temporarily writes a variable on the server until it is DESTROYED. In each of these floating variables are the entered username and entered password. So it actually means you create two new variables;
<pre>
$session_username = $rawusername;
$session_password = $rawpassword;
</pre>
in simple terms...
<pre>
$new_variable = $entered_logon_value
</pre>
What goes next is the if-else statement. It literally means...
if(valid username = temporary username and valid password = temporary password){
overwrite temporary username and password with valid values;
}else{
send the prick / intruder to the logon screen again until all values are properly matched.
}
It doesn't stop here; In the "protected" page, you must do the following...
<pre>
<?php
session_start();
require("mothership.php");
# CHECK VALID USERNAME & PASSWORD
if($_SESSION["session_username"] == $valid_username &&
$_SESSION["session_password"] == $valid_password){
?>
YOUR PROTECTED CONTENT IN BETWEEN :)
<?php
}else{
header("Location: logon.php");
}
?>
</pre>
The last step should be easy to digest. After your logon transactions are validated, then you are sent to the protected page. In the protected page the session_start() is declared to remind the browser that the set username and password are required for this page. It then loads the mothership for confirmation. The pub bouncer checks your name and I.D again to make sure you didn't use someone else's I.D card and when the picture in your I.D matches your face you are granted access to the pub otherwise you are asked to present a valid I.D card. Your I.D card is valid as long as you present it in each protected sections of the pub. Whenever you fail to present your I.D card or you have exited club you are told to present your I.D card :)
Most importantly next: what to do after getting around with legal access to protected content? You must not leave you I.D lying around or people will use it to access the protected areas. Next job is to make a new page called logout.
<pre>
<?php
session_start();
require("mothership.php");
# CHECK VALID USERNAME & PASSWORD
if($_SESSION["session_username"] == $valid_username &&
$_SESSION["session_password"] == $valid_password){
unset($_SESSION["session_username"];
unset($_SESSION["session_password"];
}else{
header("Location: logon.php");
}
?>
</pre>
This basic login system uses the start_session() function. How does it work? It fetches two user-defined values (username and password) separated in a "settings / configuration file" and compares them with entered username and password values from the logon interface (the login form). If all values match each other; voila, valid logon. If login fails, the intruder (or "password-forgetter") will be asked to enter the required username and password until he gives up. Pretty neat, no?
First design your logon form. Three basic elements are the username and password fields, and the submit button (doh). Wait, you don't want sneaking eyes to look at your password! Simple, just follow the codes below (and give it some simple styling) in a new file and name it logon.php.
<pre>
<form name="logon_form" action="validate.php" method="post">
<input name="raw_username type="text" value="username" />
<input type="raw_password" value="password" />
<input type="submit" value="logon" />
</form>
</pre>
Neat, you have a logon form; a text input, a password input, and a submit input. Eventhough name for the <form> tag does not play any role, it's a good habit to give names to your elements, imagine your folks didn't give a name to you. What would each person in the world calls you??? The action value points to where the validation file is located. The validation file is the mothership to the logon system; it validates all transacted values and gives the greenlight if she feels the values match her preferences. The method value tells the browser to keep all logon data and not display them in the URL / address box. If you want to see it 'tho, change post to get.
Next, don't forget the "settings file". Create a new file and name it mothership.php. In this mothership contains...
<pre>
<?php
// the username
$valid_username = "janis.joplin";
// the password
$valid_password = "hippy";
?>
</pre>
Finally the real validating job begins! Create a new file named validate.php.
<pre>
<?php
session_start();
require("mothership.php");
$rawusername = $_REQUEST["raw_username"];
$rawpassword = $_REQUEST["raw_password"];
$_SESSION["session_username"] = $rawusername;
$_SESSION["session_password"] = $rawpassword;
if($valid_username = $_SESSION["session_username"] &&
$valid_password = $_SESSION["session_password"]){
$_SESSION["session_username"] = $valid_username;
$_SESSION["session_password"] = $valid_password;
header("Location: valid_page.php");
}else{
header("Location: logon.php");
}
?>
</pre>
Now I shall explain what each line in validate.php does. But remember, this tutorial is just for the initial security step. Read on...
Whenever you use $_SESSION you must first put session_start() on top. Then you include mothership.php to load all values required for the validation process.
Then you must set variables for each submitted input values. There are two; the username and password fields.
<pre>
$rawusername = $_REQUEST["raw_username"];
$rawpassword = $_REQUEST["raw_password"];
</pre>
Next you set "floating variables" using $_SESSION. I use the word floating because when you use $_SESSION["variable_name"] it temporarily writes a variable on the server until it is DESTROYED. In each of these floating variables are the entered username and entered password. So it actually means you create two new variables;
<pre>
$session_username = $rawusername;
$session_password = $rawpassword;
</pre>
in simple terms...
<pre>
$new_variable = $entered_logon_value
</pre>
What goes next is the if-else statement. It literally means...
if(valid username = temporary username and valid password = temporary password){
overwrite temporary username and password with valid values;
}else{
send the prick / intruder to the logon screen again until all values are properly matched.
}
It doesn't stop here; In the "protected" page, you must do the following...
<pre>
<?php
session_start();
require("mothership.php");
# CHECK VALID USERNAME & PASSWORD
if($_SESSION["session_username"] == $valid_username &&
$_SESSION["session_password"] == $valid_password){
?>
YOUR PROTECTED CONTENT IN BETWEEN :)
<?php
}else{
header("Location: logon.php");
}
?>
</pre>
The last step should be easy to digest. After your logon transactions are validated, then you are sent to the protected page. In the protected page the session_start() is declared to remind the browser that the set username and password are required for this page. It then loads the mothership for confirmation. The pub bouncer checks your name and I.D again to make sure you didn't use someone else's I.D card and when the picture in your I.D matches your face you are granted access to the pub otherwise you are asked to present a valid I.D card. Your I.D card is valid as long as you present it in each protected sections of the pub. Whenever you fail to present your I.D card or you have exited club you are told to present your I.D card :)
Most importantly next: what to do after getting around with legal access to protected content? You must not leave you I.D lying around or people will use it to access the protected areas. Next job is to make a new page called logout.
<pre>
<?php
session_start();
require("mothership.php");
# CHECK VALID USERNAME & PASSWORD
if($_SESSION["session_username"] == $valid_username &&
$_SESSION["session_password"] == $valid_password){
unset($_SESSION["session_username"];
unset($_SESSION["session_password"];
}else{
header("Location: logon.php");
}
?>
</pre>
Tutorial Comments
Showing latest 2 of 2 comments
Well yeah thanks, sorry for my grammatical understanding in the first place :)
By birdman on Dec 2, 2006 9:59 am
FYI, this statement will always evaluate to true:CODEif($valid_username = $_SESSION["session_username"] && $valid_password = $_SESSION["session_password"]){Why? Because = is the assignmen
By mipadi on Nov 30, 2006 11:48 am
