[Tut] Simple Multi User Login

Mentor · 01-08-2006, 04:27 PM

This tutorial basically shows how to create a Super simple multiple user login.

The tutorial use's a flat file to store user names and passwords, and can be used to protect certain pages, so that only people with user names and passwords can view it. The script created will not be particularly secure so its not a good idea if you need protect something important and is only intended as a basis which you can build on.

Part 1 - The Code
Well the first step is to create the login form and the script which will handle the login.

In this tutorial we will call this login.php Create this fill and add this code.

PHP Code:


<?php

if ($_SERVER['REQUEST_METHOD']=="POST"){



// Get UserNames and Passwords.

$Logi = file("users/log.txt");

// Work out how many there are

$size = sizeof($Logi);

// Break appart passwords and usernames

foreach($Logi as $Key => $Val)

{ $Data[$Key] = explode("||", $Val); }

// run threw list and see if any match

for($K = 0; $K<$size; $K++)

{

$user = $Data[$K][0];

$pass =  $Data[$K][1];

// If match set cookie and redirect.

if ($user == trim(addslashes($_POST["user"])) && $pass == trim(addslashes($_POST["pass"])) )

{

 setcookie("in", 1, time()+3600);

 // Start hidden page

 header("Location: http://website.com/hidden.php");

}

}

 echo "Login Failed.";



// If you didnt log in show login form

} else { ?>

<div style="width:250px">

<div><strong>Simple Login</strong></div>

<div><form name="Login" method="post" action="<?=$_SERVER['PHP_SELF'];?>">

Username:

<input name="user" type="text" >

<br>

Password:

<input name="pass" type="password" >

<br>

<input type="submit" name="Submit" value="Submit">

</form>

</div></div>

<?php

}

?>

The above handles all the logging in as well as the login form. When a user successfully logs in the cookie in is set and they are redirected to the first protected page. Replace http://website.com/hidden.php with your protected page's location.

To work the script requires the user names and passwords.
Create a directory called users
In this create two files.

log.txt

Code:

admin||password||
test||pass||
john||pie||

Log.txt stores the user names and passwords in this structure.
Username||Password||

.htaccess

Code:

order allow,deny
deny from all

This .htaccess file makes the script more secure by stopping people from viewing the files. Without this people could just navigate to log.txt and read the names and passwords straight off.

The next step is to create the file we want to make secure.
For this example we will use hid.php

PHP Code:


<?php

if($_COOKIE['in'] == "1"){}

else{

die("You are not authrised to view this page.");

}

?>

The Meaning of life is... CAKE

This script checks to see if the cookie in exists and if it does not stops the rest of the page from loading and shows the not authorised message.
This script can be used on as many pages as you like to protect what ever content you like, as long as its in a php file.

Part 2 - The Breakdown
Ok in this part of the tutorial i will actually example what's going on.

The First and most complex file is login.php. Although it looks complex what's happening ins actually pretty simple.

PHP Code:


<?php

if ($_SERVER['REQUEST_METHOD']=="POST"){

First of all we open php. Then check to see if the Request method is post. Normally the Method is get, except when submitted from a form.
If the method is post, we then fun threw the next bit, if its not we skip to the end and just display the login form

PHP Code:


// Get UserNames and Passwords.

$Logi = file("users/log.txt");

// Work out how many there are

$size = sizeof($Logi);

In the above we open the file log.txt using the file function, which creates an array using the different lines. We then work out how many lines there are which is stored the in size variable.

PHP Code:


// Break appart passwords and usernames

foreach($Logi as $Key => $Val)

{ $Data[$Key] = explode("||", $Val); }

// run threw list and see if any match

We then want to split up the result further to get both the user name and the password separately. The above takes each part of the array we created and splits that in to two smaller parts, one for the username and one for the password.

PHP Code:


for($K = 0; $K<$size; $K++)

{

$user = $Data[$K][0];

$pass =  $Data[$K][1];

// If match set cookie and redirect.

if ($user == trim(addslashes($_POST["user"])) && $pass == trim(addslashes($_POST["pass"])) )

{

 setcookie("in", 1, time()+3600);

 // Start hidden page

 header("Location: http://website.com/hidden.php");

}

}

 echo "Login Failed.";

This is the part that actually does the work. It looks threw the sets of user names and passwords. If a username and password set match what the user logged in with, the script will set the cookie in, and redirect to the secret page.
http://website.com/hidden.php needs to be changed to that page.
The cookie is set to last one hour although this can be changed by editing the time()+3600 which is how long the cookie will last in seconds.

If none of the passwords match the user will not be redirected and instead see the "login failed" message.

PHP Code:


// If you didnt log in show login form

} else { ?>

<div style="width:250px">

<div><strong>Simple Login</strong></div>

<div><form name="Login" method="post" action="<?=$_SERVER['PHP_SELF'];?>">

Username:

<input name="user" type="text" >

<br>

Password:

<input name="pass" type="password" >

<br>

<input type="submit" name="Submit" value="Submit">

</form>

</div></div>

<?php

}

?>

The last part of the script is quite simple, If the request method was not post, it will fall back to the else at the top. Which will then end php and output the login form. Before opening php again to close the brackets for the else.

<?=$_SERVER['PHP_SELF'];?> is used to get the files own location, <?=$var?> is a quick way of opening php to output data.

The Next php file is much simpler

PHP Code:


<?php

if($_COOKIE['in'] == "1"){}

else{

die("You are not authrised to view this page.");

}

?>

This is placed at the top of the page you want protected. It then checks to see if the user has the in cookie to say they are logged in. if they do not the page is stopped from loading at that point and the message "You are not authrised to view this page." is displayed.
This can be used on as many pages as you wish to hide what ever content you like.

The .htaccess file and the log.txt were all explained in part one and do not need any further breakdown.

Part 3 - The Extras
This is just to cover the parts missed out of the prior two sections.

Logout.

PHP Code:


<?php

 setcookie("in", 0, time()-3600);

 echo "You are logged out";

 ?>

This is just a simple script to log a user out, it works by setting the cookies expire date in to the past so it is removed by the browser. It then writes the message "You are logged out" to make sure the user knows what happened.

Flaws.
The main weakness to this method of pass wording is that it users a single cookie to remember whether you are logged in or not.
Because of this it would be quite easy for anyone whom wanted to gain access badly enough to simply forge the cookie.

Note.
This is NOT a user system, simply as pass wording method.

You have to manually add user names and passwords to the log file in this example, Passwords are NOT encrypted. The file is protected via the .htaccess file placed there.

Usernames and passwords must be stored as
Username||password||
The || at the end of password is required so the script doesn't include a newline as part of the users password.

Correctable (Forum Moderator) - Thread moved to Website Tutorials. Nice Tut

The Voice · 01-08-2006, 05:07 PM

Wow, that's very good. +rep. Very usefull, I've been looking latley for something like that. I will get straight to work on coding it for my site.

Splinter · 01-08-2006, 05:46 PM

yep nice tut etc but I would advise people to store the passwords encrypted otherwise the login could be infiltrated..

Mentor · 01-08-2006, 06:08 PM

Not realy an issue with this script since the passwords file is htaccess secured so can only be read server side, since the scripts admin has to manualy add and update the usernames and passwords they would have to know them anyway so theres no real problem.
Encriptions realy only nessary if you created a sign up system and allowed new members to register with there own passwords which they would most likly want to remain secure even from that sites administrator "/
But for the purposes of the simple script its unnecessary. The main flaw with this script is the one coverd at the ended with the easly forgeable cookie.