Log in Script in PHP

mohtasham1983 · 07-19-2007, 08:05 PM

Hello,

I'm trying to write a script that enables users to log in to a website. I'm looking for a trick so that once a person who is not logged in, wants to view a page that requires logged in users, the login page appears and after successful logging I want to go to the same page which was supposed to be visited.

I tried to use header() to redirect user to one page back, but since log in page is different from process page, when I do that, it goes to log in page again. Currently, I redirect every users to home page regardless of which page they were visiting.

I'm new to PHP and don't know much about its functional capabilities. I would be glad if someone gives me some hints about this trick.

Thanks.

graemef · 07-20-2007, 12:24 AM

There are many ways to address the problem you have posed...so here is the approach I tend to use.

I have a single entry to the site, say index.php, but to get to the meat of the site I use GET variables, such as index.php?action=download or index.php?action=addNewItem

The index.php file does two things

It will check to see if the user is logged in, if not then the login screen is displayed
If they are logged in then include the file that looks at the action variable

The file that looks at the action will check that the user has the rights to perform the action, for example maybe anyone logged in can download but only the administrator can addnewItem.

mohtasham1983 · 07-20-2007, 12:37 AM

You didn't get quite well what I meant.

Suppose that there are 10 pages in a website called 1.php, 2.php ... 10.php

Anyone who wants to see from 5.php to 10.php should be a member, so when somebody goes to www.mysite.com/6.php a login screen should appear. After successful login, he should be redirected to 6.php instead of one default one.

Currently, I'm trying to keep track of all people visiting my site and store their visited pages in an array like $_SESSION["visit"] and then when redirect people to 2 last pages they visit. However, I think there should be an easier way to do this in Javascript or even PHP.

graemef · 07-20-2007, 12:50 AM

Well you still need to check to see if they are logged in and that should be on every page where authentication is required. But maybe your question is more about remembering where the user was last, so that when they revisit you can return them to that page. Given such a request you might want to use cookies, to store where they were. However there are security issues with cookies, because they can be forged. The other approach may be to store the details on the server, along with the user name and password you keep the last page details. However that means that this data needs to be updated every time the user changes a page, and there may be performance implications there. They may also experience odd results if they have your site open in two different tabs / windows.

mohtasham1983 · 07-20-2007, 12:58 AM

I know that there users should be authenticated at first. That functionality is already implemented. I also thought of performance issue, executing a function whenever changing pages.

I'm going to implement it by tracking users' activities for now, since performance is not an issue for now.

Anyways, thanks for responding.

jlinkels · 07-20-2007, 07:48 AM

This is how I solved it.

First on every page where the user enters I have this statement:

Code:

$_SESSION['last_page']=$_SERVER['PHP_SELF'];

(Well as a matter of fact this is part of a housekeeping routine which does much more, but that is more application specific.)

Then, when user permissions have to be checked, it is done like this:

Code:

$permissions=$_SESSION['permissions'];
if (!($permissions & PERM_CH_DAY_REP)){
//if (false){
   if (!$_SESSION['no_ask_login']){
   js_alert ("You are not logged in or you do not have sufficient permissions to make changes on this page");
   http_goto_url ("login.php");

js_alert is a java script showing a message box, not relevant here.

http_goto_url is this piece of code:

Code:

function http_goto_url ($url){
?>
  <script type="text/javascript">
  window.location.href  = "<? echo $url; ?>"
  </script>
<?

In the same way when the login is done, I retrieve the last page from $_SESSION and jump to this page again using the http_go_url function.

The reason that I use javascript is that this is the *only* way to go to a new URL if you are halfway your PHP code before you decide you want to go to a different page.

Also, using only PHP there is *no* way to clear the login screen and go back to your original page without jumping to a new URL. You you have to use javascript if you want to jump back and forth.

In fact my application is a bit more complicated. When users hit the login page, they are shown the option not to login at all and continue in read-only mode. There is also an option to supress any future warnings and you are not redirected automatically to the login page in the future. (That is the use of the checking of $_SESSION['no_ask_login'] in the 'if' statement above.)

It all works flawlessly, there is just one problem. If a user changed data on a page and presses submit, the function which processes the new data checks if the user is logged in. If not, the user is presented the login page. After that he goes back to his original page. Unfortunately the form is empty by then. That is not pleasant and a huge penalty for forgetting to log in.

Therefor the user should be obligated to login before he can enter any data.

jlinkels