Article Dicussion: Creating a Secure PHP Login Script

Dev Articles Community Forums Sponsor:

March 25th, 2003, 06:03 PM

benos

Contributing User

Join Date: Feb 2003

Posts: 233

Time spent in forums: < 1 sec
Reputation Power: 6

Article Dicussion: Creating a Secure PHP Login Script

If you have any questions or comments about this article please post them here.

This forum post relates to this article

March 31st, 2003, 12:15 AM

Mr Chocloate

Junior Member

Join Date: Aug 2002

Location: Anglesea

Posts: 12

Time spent in forums: < 1 sec
Reputation Power: 0

That was a great article! very quick and straight to the point.

Do you have that code for download? every time i try and cut and pate it gets really messy. I would love to use it

August 30th, 2003, 11:08 PM

soichih

Junior Member

Join Date: Aug 2003

Posts: 1

Time spent in forums: < 1 sec
Reputation Power: 0

cookie bug

I don't know if I am doing wrong, but I tried and tested and with the code on the article, the cookie value will never be set on database, and setcookie function will never be called with updated cookie when user does "remember".

So when user do remember, it won't remember because the value is always null.

How am I supposed to fix this problem?

September 20th, 2003, 08:30 AM

DDDooGGG

Contributing User

Join Date: Dec 2002

Location: Melbourne, Australia

Posts: 97

Time spent in forums: 23 m 33 sec
Reputation Power: 6

Could someone tell me where and how i use these function in this article?
Can aybody plese leave a full example with HTML included?

thanks.

__________________
regards,

Fulton

September 28th, 2003, 10:13 PM

Dave Cheney

Junior Member

Join Date: Sep 2003

Posts: 3

Time spent in forums: < 1 sec
Reputation Power: 0

member.class.php

Hi,

A good article, but I found that there are some omissions that make it unworkable out of the box. Here is my implementation of the class.

All comments are welcome, and appreciated.

At the moment the class will restore the login on instansiation, but i haven't managed to remove the 'remember' cookie so there is no way to log out at the moment

Cheers

Dave

-----

Quote:

<?php

// member class
// handlers member logon

class member_class
{
function member_class()
{
if (!isset($_SESSION['uid']))
{
$this->set_session_defaults();
}
if ($_SESSION['logged_in'])
{
$this->check_session();
}
if (isset($_COOKIE['remember']))
{
print('checking cookie');
$this->check_remembered($_COOKIE['remember']);
}
}

function check_login($username,$password,$remember)
{
global $db;
$username = mysql_escape_string($username);
$password = mysql_escape_string(md5($password));

print('username:'.$username." password:".$password);

$result=$db->query("SELECT * FROM member WHERE username = '{$username}' AND password = '{$password}'");

if ($db->numrows($result))
{
$this->set_session($db->fetchrow($result),$remember,true);
return true;
} else {
$this->failed = true;
$this->logout();
return false;
}
}

function logout()
{
// blowup cookie
setcookie('remember',null,time()-3600);
$this->set_session_defaults();
}

function set_session($result,$remember,$init = true)
{
global $db;
print('Setting session');

if ($init)
{
$session = mysql_escape_string(session_id());
$ip = mysql_escape_string($_SERVER['REMOTE_ADDR']);
$result['token'] = $this->token(); // generate a new token
$db->query("UPDATE member SET session='{$session}', token='{$result['token']}', ip='{$ip}' WHERE uid='{$result['uid']}'");
}

$_SESSION['uid'] = $result['uid'];
$_SESSION['username'] = htmlspecialchars($result['username']);
$_SESSION['token'] = $result['token'];
$_SESSION['logged_in'] = true;

if ($remember)
{
$this->update_cookie($result['token']);
}

}

function update_cookie($token)
{
$cookie = serialize(array($_SESSION['username'],$token));
setcookie('remember',$cookie, time()+31104000);
}

function check_remembered($cookie)
{
global $db;
var_dump(unserialize($cookie));
list($username,$token) = unserialize($cookie);
if(empty($username) or empty($token))
{
print('cookie error');
return;
} else {
$username = mysql_escape_string($username);
$token = mysql_escape_string($token);

$result = $db->fetchrow($db->query("SELECT * FROM member WHERE username = '{$username}' AND token ='{$token}'"));
var_dump($result);
if ($result != false)
{
$this->set_session($result,false,false);
}
}
}

function token()
{
// generate a random token

for($i=1;$i<33;$i++)
{
$seed .= chr(rand(0,255));
}
return md5($seed);
}

function check_session()
{
global $db;
$username = mysql_escape_string($_SESSION['username']);
$token = mysql_escape_string($_SESSION['token']);
$session = mysql_escape_string(session_id());
$ip = mysql_escape_string($_SERVER['REMOTE_ADDR']);

$result = $db->fetchrow($db->query("SELECT * FROM member WHERE username='{$username}' AND token='{$token}' AND session='{$session}' AND ip='{$ip}'"));
if ($result != false)
{
} else {
$this->logout();
}
}

function set_session_defaults()
{
$_SESSION['logged_in'] = false;
$_SESSION['uid'] = 0;
$_SESSION['username'] = '';
$_SESSION['cookie'] = 0;
$_SESSION['remember'] = false;
}
}
?>

Last edited by Dave Cheney : September 28th, 2003 at 11:49 PM.

September 28th, 2003, 10:19 PM

Dave Cheney

Junior Member

Join Date: Sep 2003

Posts: 3

Time spent in forums: < 1 sec
Reputation Power: 0

logout function

this seams to do the trick

function logout()
{
// blowup cookie
setcookie('remember',time()-3600);
$this->set_session_defaults();
}

September 28th, 2003, 11:52 PM

Dave Cheney

Junior Member

Join Date: Sep 2003

Posts: 3

Time spent in forums: < 1 sec
Reputation Power: 0

db schema for above - slightly modified from the original posted in the article

CREATE TABLE `member` (
`uid` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default '',
`PASSWORD` varchar(32) binary NOT NULL default '',
`token` varchar(32) binary NOT NULL default '',
`session` varchar(32) binary NOT NULL default '',
`ip` varchar(15) binary NOT NULL default '',
PRIMARY KEY (`uid`),
UNIQUE KEY `username` (`username`)
) TYPE=MyISAM AUTO_INCREMENT=2 ;

January 1st, 2004, 11:28 AM

krose

Junior Member

Join Date: Dec 2003

Posts: 5

Time spent in forums: < 1 sec
Reputation Power: 0

Dave,

Thank you for posting your update to the Secure Log in Article on the devArticles site (back in Sept 2003). This is the most comprehensive code I have found.

I am trying to implement it, but just have a few questions about when to call certain methods.

Would you be willing to send me a skeleton of a couple of content pages that have the security calls in place?

I am just having trouble with the "big picture" of how it all fits together.

Your help would be greatly appreciated!

Thanks,
Kevin

February 27th, 2004, 10:08 AM

cyomega

Registered User

Join Date: Feb 2004

Posts: 1

Time spent in forums: < 1 sec
Reputation Power: 0

Quote:

Originally Posted by krose

I second this motion. I'm trying to figure out the best way to check login status on the content pages, and bounce back to the login page if the session expires or if the user logs out.

::(`)::

#10

March 11th, 2004, 11:55 PM

TonBao

Registered User

Join Date: Mar 2004

Posts: 1

Time spent in forums: < 1 sec
Reputation Power: 0

Got error!

I've just read ur article and follow it as well. And I've received the following error:

Parse error: parse error, unexpected T_VARIABLE, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in c:\inetpub\wwwroot\My Scripts\Login form\login.php on line 41

the line 41 in my script is $date=gmdate("'Y-m-d'");

Thanks

#11

May 10th, 2004, 03:35 PM

drhetesi

Registered User

Join Date: May 2004

Posts: 1

Time spent in forums: < 1 sec
Reputation Power: 0

MySQL load

I need to build some authentication for a site of upwards of 1000 people. Is there going to be stress on the MySQL database if its accessed each time a secure page is accessed? Is there a way test this before I go online with it?

Thanks a lot.

The Doctor.

#12

August 27th, 2004, 11:54 AM

trystano

Contributing User

Join Date: Jul 2003

Posts: 45

Time spent in forums: < 1 sec
Reputation Power: 6

Hi all,

I know its been a long time, but did anyone actually find out where exactly they need to put the function calls to this class within the HTML?

Thanks

Tryst

__________________
Tryst

#13

August 27th, 2004, 08:35 PM

trystano

Contributing User

Join Date: Jul 2003

Posts: 45

Time spent in forums: < 1 sec
Reputation Power: 6

Unserialize Problem

Has anyone else had any problems with the unserialize() function in this script?

Thanks

Tryst

#14

January 16th, 2005, 10:57 AM

TallyHo

Registered User

Join Date: Jan 2005

Posts: 1

Time spent in forums: 3 m 23 sec
Reputation Power: 0

Old thread but here come the examples

Its an old thread though after checkin out Daves class (nice) i just added a few lines to get it to work and since some people asked for examples on how to use it.. here we go:
file: member_class.php

PHP Code:


		
			
<?php
   // member class
   // handlers member logon
   class member_class
   {
   function member_class()
   {
   if (!isset($_SESSION['uid']))
   {
   $this->set_session_defaults();
   }
   if ($_SESSION['logged_in'])
   {
   $this->check_session();
   }
   if (isset($_COOKIE['remember']))
   {
   //print('checking cookie');
   $this->check_remembered($_COOKIE['remember']);
   }
   }
   
   function check_login($username,$password,$remember)
   {
   global $db;
   $username = mysql_escape_string($username);
   $password = mysql_escape_string(md5($password));
   
   $result=$db->query("SELECT * FROM member WHERE username = '{$username}' AND password = '{$password}'");
   
   if ($db->num_rows($result))
   {
   $this->set_session($db->next_record($result),$remember,true);
   return true;
   } else {
   
   $this->failed = true;
   $this->logout();
   return false;
   }
   }
   
   function logout()
   {
   // blowup cookie
   setcookie('remember',time()-3600);
   $this->set_session_defaults();
   }
   
   function set_session($result,$remember,$init = true)
   {
   global $db;
   //print('Setting session<br>');
   $uid=$db->f('uid');
   if ($init)
   {
   $session = mysql_escape_string(session_id());
   $ip = mysql_escape_string($_SERVER['REMOTE_ADDR']);
   $newtoken = $this->token(); // generate a new token
   $db->query("UPDATE member SET session='{$session}', token='{$newtoken}', ip='{$ip}' WHERE uid='{$uid}'");
   }
   
   $_SESSION['uid'] = $db->f('uid');
   
   $_SESSION['username'] = htmlspecialchars($db->f('username'));
   $_SESSION['token'] = $newtoken;
   $_SESSION['logged_in'] = true;
   
   if ($remember)
   {
   $this->update_cookie($newtoken);
   }
   
   }
   
   function update_cookie($token)
   {
   $cookie = serialize(array($_SESSION['username'],$token));
   //$cookie = serialize(array('bas','token'));
   setcookie('remember',$cookie, time()+12099600);
   }
   
   function check_remembered($cookie)
   {
   global $db;
   
   $serializedArray=$cookie;
   $serializedArray = stripslashes($serializedArray);
   list($username,$token) = unserialize($serializedArray);
   
   
   if(empty($username) or empty($token))
   {
   //print('cookie error<br>');
   return;
   } else {
   $username = mysql_escape_string($username);
   $token = mysql_escape_string($token);
   $ip = mysql_escape_string($_SERVER['REMOTE_ADDR']);
   $result = $db->next_record($db->query("SELECT * FROM member WHERE username = '{$username}' AND token ='{$token}'"));
   
   //var_dump($result);
   if (!$result)
   {
   $this->set_session($result,false,false);
  &