Had this coded for me by one of my programmers, thought it might come in handy for some of you guys! This code may only be used for personal sites, you may not sell this code or edit in any way! If you want to use it for commercial purposes, please send me a PM. Will only cost you $5!
login.php
PHP Code:
<?php
// Sample Login Script
// AuthClass Suite
// Sam Granger
include ('./authclass.php');
$ac = new AuthClass();
if ($_POST['loginButton']) {
$username = htmlspecialchars($_POST['username']);
$password = htmlspecialchars($_POST['password']);
$auth_result = $ac->authenticate($username,$password);
if ($auth_result) {
header('Location: securepage.php');
exit;
} else {
echo "Invalid Login";
}
}
?>
<html>
<title>Login Form</title>
<body style='font-family: Verdana;font-size: 11px;'>
<form name=authform id=authform action='login.php' method='post'>
Username: <input type=text size=20 name=username /><br>
Password: <input type=password size=20 name=password /><br>
<input type=submit name=loginButton id=loginButton value='Login'/>
</form>
</body>
</html>
securepage.php
PHP Code:
<?php
// Sample Secure Page
// AuthClass Suite
// Sam Granger
include ('./authclass.php');
$ac = new AuthClass();
if (!$ac->verify()) {
echo "Unauthorized Login Detected";
exit;
}
?>
<html>
<title>Secure Area</title>
<body style='font-family: Verdana;font-size: 11px;'>
<h1>Secure Area</h1><br>
If you see this. You are authorized.<br><br>
Logged in: <b>
<?php
echo $_SESSION['username'];
?></b><br>
</body>
</html>
authclass.php
PHP Code:
<?php
// AuthClass
// Syed Imran Moinuddin
// Created for Sam Granger
// Please review AUTH_INSTALL and AUTH_NOTES before usage
// Description: The purpose of this class is to provide a secure authenticated mechanism for login and login verification
// Recommended usage is as is done in the sample code provided (login.php , securepage.php)
// By Syed Imran Moinuddin
include ('./includes/db_settings.php');
class AuthClass {
var $db_link;
var $failed = true;
var $id = null;
//default constructor
function AuthClass() {
@session_start();
global $DB_SERVER,$DB_USER,$DB_USER,$DB_PWD,$DB_NAME;
//try to connect to the server and save db object
$this->db_link = mysql_connect($DB_SERVER,$DB_USER,$DB_PWD) or die("Auth Subsystem Error");
//try to select the database;
mysql_select_db($DB_NAME, $this->db_link) or die ("Auth Subsystem Error");
// only do this if not been run before.
@session_start();
if (!isset($_SESSION['logged'])) {
$this->session_defaults();
}
}
function session_defaults() {
@session_start();
$_SESSION['logged'] = false;
$_SESSION['uid'] = 0;
$_SESSION['username'] = '';
}
function checkLogin($username,$password) {
$username = mysql_escape_string($username);
$password = mysql_escape_string(md5($password));
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysql_query($sql,$this->db_link) or die("Auth Subsystem Error");
if ( mysql_num_rows($result) > 0 ) {
$match = mysql_fetch_array($result,MYSQL_BOTH);
$this->setSession($match);
return true;
} else {
$this->failed = true;
return false;
}
}
function setSession($match, $init = true) {
@session_start();
$id = $match['id'];
$_SESSION['uid'] = $id;
$_SESSION['username'] = htmlspecialchars($match['username']);
$_SESSION['logged'] = true;
if ($init) {
$session = session_id();
$ip = $_SERVER['REMOTE_ADDR'];
$sql = "UPDATE users SET session = '$session', ip = '$ip' WHERE id = '$id'";
mysql_query($sql,$this->db_link) or die("Auth Subsystem Error");
}
}
function checkSession() {
@session_start();
$username = $_SESSION['username'];
$session = session_id();
$ip = $_SERVER['REMOTE_ADDR'];
$sql = "SELECT * FROM users WHERE (username = '$username') AND (session = '$session') AND (ip = '$ip')";
$result = mysql_query($sql,$this->db_link) or die("Auth Subsystem Error");
if (mysql_num_rows($result) > 0 ) {
return true;
} else {
$this->session_defaults();
return false;
}
}
// Public function: authenticate
// Arguments: Username, Password [string]
// Description: Perform the actual authentication at the time of login.
function authenticate($username,$password) {
@session_start();
$ret = $this->checkLogin($username,$password);
if (!$ret) {
$_SESSION = array();
$this->session_defaults();
}
return $ret;
}
// Public function: verify
// Arguments: Void
// Description: Ensure that a valid authenticated session is in process. To be called to check on all secure pages. recommended to place in include.
function verify() {
$ret = $this->checkSession();
return $ret;
}
function logout() {
@session_start();
$_SESSION = array();
$this->session_defaults();
}
}
?>
includes/db_settings.php
PHP Code:
<?php
// Please update with your current settings.
$DB_SERVER = "localhost";
$DB_USER = "root";
$DB_PWD = "abcd";
$DB_NAME = "test";
?>
SQL
Code:
CREATE TABLE users (
id int NOT NULL auto_increment,
username varchar(20) NOT NULL default '',
password char(32) binary NOT NULL default '',
session char(32) binary NOT NULL default '',
ip varchar(15) binary NOT NULL default '',
PRIMARY KEY (id),
UNIQUE KEY username (username)
);
INSERT INTO `users` (username,password) values ('username1',md5('password1'));
Install:
Authentication Class - AuthClass
Syed Imran Moinuddin
23rd September 2006
=================================
Installation and Deployment Notes
Please follow the following steps in order to deploy on server:
-> Open the authtable.sql file in sql/ subdirectory and ensure that the commands are executed in the database which will be hosting the users login/members details. Optionally this may be done at the command line by:
mysql -u <your_mysql_user> -p <your_mysql_db> < authtable.sql
-> Open the db_settings.php in the includes/ subdirectory and modify the database settings to match the MySQL server of the deployment
-> Place the all the files (excluding sql/ subdirectory) into a browser accesible folder (as per definition of your web server deployment)
-> In your browser enter the URL:
http://yourserver/pathtoauthfiles/login.php
-> Enter username and password as test & test respectively and click Login
-> If you see "Secure Page" your installation is a success.
Developer's note: For maximum effectivenes for security please use the AuthClass in the manner that it is used in the provided sample code login.php and securepage.php
|
Notes:
Authentication Class - AuthClass
Syed Imran Moinuddin
23rd September 2006
=================================
General Notes
-> All passwords in the DB must be stored as MD5 hashed.
-> The AuthClass object offers two key functions (not including internal functions):
- authentication($username,$password)
The function will accept the username and password as provided by the user and then proceed to compare the md5 hashed
value of the password with the encrypted password in the database.
- verify()
The function will check the browser session and compare against active sessions in the database and return a boolean to
the caller on the validity of the session. verify can be called on the top of all pages which require security. It is
better to place it in a consistently present include to avoid code repetition.
- logout()
This will destroy session variables associated with the existing login and should be triggered such as when the user clicks
a logout button as well.
|
Enjoy!!