Problem with PHP log in to site page!!

Tom "Techno" Earl · 11-16-2006, 01:23 PM

Hey,

I've got a problem with one of my PHP sites, in trying to create a login process, I've created a blank page!!

If you take a look at http://www.tomearl.unicorn-group.co....ancaster.co.uk
You'll see the site I've built, but it's not working how I want it to.

The code for index.php is:

PHP Code:



<? 
 #load top and stylesheets 
 $page = "Online Pet store by "; 
 include 'includes/top_of_shop.php'; 
?> 
<?  
 #Check to see if they are signed in or not 
 if (IsSet($_COOKIE['ACUID'])) { 
 echo 'Welcome Back, $user.'; 
} else { 
 echo 'Not signed in? <a href="/animalcare-lancaster.co.uk/" OnClick="window.open(\'includes/sign_in.php\',\'signin\',\'dependant=yes,height=200,width=300\')">Sign in!</a>'; 
} 
?>

The code for sign_in.php is:

PHP Code:



<? 
 #Ask them for username and password, then if they want to create an account 
?> 
<form action="/animalcare-lancaster.co.uk/includes/cookie_monster.php" method="post"> 
Username:&nbsp;&nbsp;&nbsp;<input type="text" name="username"><br> 
Password:&nbsp;&nbsp;&nbsp;<input type="password" name="password"><br> 
<input type="submit" value="Sign in"> 
</form>

The code for cookie_monster.php is:

PHP Code:



<? 
 if (($_POST['username'] == "Tom") && ($_POST['password'] == "password")) { 
 setcookie('ACUID','shopadmin'); 
} 
?> 
<? $user_id = $_COOKIE['ACUID']; ?> 
<? 
 if ($user_id == "Tom") { 
 $full_name = "Tom Earl"; 
 $address_1 = "someplace"; 
 $address_2 = "somewhere"; 
 $address_3 = "Over There"; 
 $post_code = ""; 
 $daytime_tel = ""; 
 $nighttime_tel = ""; 
}  
?>

If anyone can log in using username: Tom and Password: password, they will get a blank page, what I want it to do is close the window, and refresh the home page so that all the cookies take effect.

If anyone can help me, I'd greatly appreciate it!

Thanks

Tom

jiml8 · 11-17-2006, 10:30 AM

The web (HTTP://) is stateless. When you open a new window to enter username and password, you lose all information about the previous window. You probably could do some things client-side to keep the information about the previous window, but many people's security settings would explicitly foil this.

Why don't you just open a username/password requester using javascript the way most sites do it? This keeps the focus on the current window and will eliminate your problem.

Alternatively, when someone clicks on your sign in link, rewrite the home page to them with a username/password field provided.

What I do for this kind of problem is I write my PHP so that I am submitting a form and my sign in link would be a command button. There is a hidden field in this form that is called, for instance, authstatus. The form action calls my homepage in all cases (in other words, the page calls itself).

When I initially provide this page to the user (user requests it via a GET), I set the authstatus value to FALSE. Then, when the user clicks on the link, I process the POST to see what authstatus is and if it is FALSE, I change it to TRYING then rewrite the page (with the same HTML) but providing a userID and password login box, and another form button to submit.

When the user enters username and password, I then see that the hidden authstatus field is TRYING so I process the login and branch appropriately.

Code something like this:

Code:

<?php
if ($_SERVER['REQUEST_METHOD'] == "GET") {
$authstatus = 'FALSE';
$authstat = 'FALSE';
(do any other things I need to do)
} else if ($_SERVER['REQUEST_METHOD'] == "POST") {
  $authstat = $_REQUEST['authstatus'];
  if ($authstat == "FALSE") {
     $authstatus = 'TRY';
     (do other stuff as needed)
  } else if ($authstat = "TRY") {
      (process login and set $authstat appropriately based on result)
  }
   
}
?>
<HTML><HEAD> (my head code) </HEAD><BODY>

(my body html code)
<?php
  if ($authstat == "FALSE" or $authstat == "TRY") { ?>
 <form action="myhomepage.php" name="login" METHOD="POST">
   <input type="hidden" name="authstatus" value="<?php echo "$authstatus";?>">
<?php 
  if ($authstat == "TRY" ) { ?>
     <input type="text" name="username"><br>
<input type="password" name="password">
<?php } } ?>
</BODY>
</HTML>

You can see this mechanism in action if you visit http://www.softwareforlandlords.com/TPMWeb/index.php

This site is a demo template site that I sell and it does exactly what I show here at many places in the site. On the home page, I choose to always display a login box (username/password) but all processing occurs using the framework I have shown here.

Tom "Techno" Earl · 11-18-2006, 07:00 AM

Hi

Thanks for that, I'll have a go later, it looks really professional and it looks like something I could definatly use!

Thanks such a lot for the help!

Tom

jiml8 · 11-18-2006, 10:46 AM

I do almost all my contact forms that way too. Thus, I don't have to worry about a user who has javascript disabled. He fills out the form and submits it, and I parse it on the server. If it is OK, I return some "OK" message - still in the same page - and if there is a problem, I highlight the problem and return the form to him. Also, when I parse the form, I check for spammers trying to use the form to relay their spam. If I see that kind of stuff, I just drop their input and block the IP.