Users blijven niet ingelogd!

Status
Niet open voor verdere reacties.
S

Stinuz

Terugkerende gebruiker
Lid geworden
14 jun 2003
Berichten
1.245
Hey, ik heb zojuist een script geinstalleerd op mijn websites zodat gebruikers moeten inloggen om bepaalde pagina's te kunnen bezoeken. Dit gebeurt via een MYSQL database. Nu gaat het aanmaken van accounts en inloggen prima, alleen gebruikers kunnen eenmaal de pagina bezoeken en als ze dan naar een andere beveiligde pagina gaan (of dezelfde) moeten ze weer opnieuw inloggen. Waarom worden de ingelogde gebruikers niet onthouden?

login.php
PHP: 
<div align="center" class="text"><?php if (isset ($error)) { echo $error; } ?></div><br>
<form action="<?= $_SERVER['PHP_SELF']; ?>" method="post" name="frmLogin">
<div align="center">
<table width="50%"  border="0" cellpadding="2" cellspacing="0" class="border">
    <tr class="text">
    	<td width="25%" align="right">Username:</td>
   	    <td height="25" align="center"><input name="username" type="text" class="text" id="username" size="50"></td>
    </tr>
    <tr class="text">
    	<td align="right">Password:</td>
   	    <td height="25" align="center"><input name="password" type="password" class="text" id="password" size="50"></td>
    </tr>
    <tr align="center">
		<td height="25" colspan="2"><input name="Submit" type="submit" class="text" value="Login"></td>
	</tr>
</table>
</div>
</form>

protect.php
PHP: 
<?php

session_start ();

// --------------------------------THE VARIABLES---------------------------------- //

@include ("config.php");

// ----------------------------------THE CODE ------------------------------------ //

function clearance ($user_value, $pass_value, $level_value, $userlevel_value, $table_value, $column1, $column2, $path) { // Function to see if user can login
	
	$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE username='$user_value' AND password='$pass_value'"); // Query to see if user exists
	
	$verify = mysql_num_rows ($check);
	
	if ($verify == 0) { // Check if passwords are hashed with MD5
	
		$md5 = md5 ($pass_value);
	
		$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE username='$user_value' AND password='$md5'"); // Query to see if user exists
	
		$verify = mysql_num_rows ($check);
		
	}
	
	if ($verify == 0) { // Check if passwords are hashed with SHA1
	
		$sha1 = sha1 ($pass_value);
	
		$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE username='$user_value' AND password='$sha1'"); // Query to see if user exists
	
		$verify = mysql_num_rows ($check);
		
	}
	
	$get = mysql_fetch_array ($check);
	
	if (count ($level_value) != 0) { // If the allow array contains userlevels
		
		if (in_array ($get[$userlevel_value], $level_value) && $verify > 0) { // Search allow to see if userlevels match
			
			$_SESSION['username'] = $user_value; // Register sessions
			$_SESSION['password'] = sha1 ($pass_value); // sha1 password for extra security
			$_SESSION['userlevel'] = $get[$userlevel_value];
				
		}
		
	} else {
	
		if ($verify == 0) { // If attempt fails then redirect to login page
	
			$_SESSION = array();
			
			$error = "Sorry but your login details were incorrect";
			
			@include ("login.php");
			
			exit;
		
		}
		
		if ($verify > 0) { // If attempt is good then register the user
	
			$_SESSION['username'] = $user_value;
			$_SESSION['password'] = sha1 ($pass_value);
		
		}
		
	}
	
}

function protect ($level_value, $password_value, $userlevel_value, $table_value, $column1, $path) { // Function to keep pages secure

	if (!isset ($_SESSION['username'])) { // If session doesn't exist then get user to login
	
		if (isset ($_POST['username']) && isset ($_POST['password'])) {
		
			$error = "Sorry but your login details were incorrect";
		
		}
		
		$_SESSION = array();
		
		@include ("login.php");
		
		exit;
		
	} else { // If user is logged in check to see if session is valid and that they have the required userlevel
	
		$check = mysql_query ("SELECT $password_value, $userlevel_value FROM $table_value WHERE $column1='$_SESSION[username]'"); // Query to see if user exists
		
		$verify = mysql_num_rows ($check);
		
		$get = mysql_fetch_array ($check);
		
		if ($verify == 0) {
		
			$_SESSION = array();
				
			$error = "Sorry but your login details were incorrect";
				
			@include ("login.php");
				
			exit;
			
		}
		
		if ($verify > 0 && count ($level_value) != 0) {
				
			if (!in_array ($get[$userlevel_value], $level_value)) { // Check to see if the users userlevel allows them to view the page
				
				$error = "Sorry but your login details were incorrect";
					
				@include ("login.php");
					
				exit; // Ensure no other data is sent
				
			}
				
		}	
	
	}
	
}

if (isset ($_POST['username']) && isset ($_POST['password'])) { // If user submits login information then validate it

	clearance ($_POST['username'], $_POST['password'], $allow, $userlevel, $table, $username, $password, $path);
	
}

protect ($allow, $password, $userlevel, $table, $username, $path);

mysql_close ($link); // Close the database connection for security reasons

// -----------------------------------THE END ------------------------------------ //

?>

config.php
PHP: 
<?php

// Database and Server Values
// Hier staan mijn databse gegevens

// Table Values
$table = 'users'; // The name of the database table where the username & password are
$username = 'username'; // The name of the username field in the table
$password = 'password'; // The name of the password field in the table
$userlevel = 'userlevel'; // The name of the userlevel field (leave blank (i.e. $userlevel = '') if it is not important
//

// Paths
$path = "http://dimitri-korsakov.com/x-protection"; // Path to X-Protection folder on the server (e.g http://www.myhost.com/x-protection). Don't include the final slash
$logout = "http://dimitri-korsakov.com/index.php"; // Path to the webpage users go to when logged out
//

// Connect Information - No need to edit
$link = mysql_connect ($host, $user, $pass);
mysql_select_db ($database);
//

?>
 
Is dit vanuit een tutorial of heb je deze zo kant en klaar gedownload? Zat er geen readme bestand bij?
 
Gedownload -> readme gelezen -> aangepast -> geupload.

In de readme stond niks over dit probleem :confused:
 
Zou je de readme hier willen plaatsen, wellicht staat er toch relevante informatie in.
 
X - PROTECTION 1.10 by X-Scripts
______________________________________________

TESTED OFFLINE ON: PHP 4.3.9 & MySQL 4.0.13
TESTED ONLINE ON: PHP 4.3.2 & MySQL 3.23.57
______________________________________________

Version 1.10: Fixed X-Install flaws.

Version 1.00: I decided my next script would be an authentication one so that many of you
can protect the admin areas which come with my scripts. Before I wrote X-Protection I
knew the kind of features that would be needed by many of you and I hope this fulfils
them all.

I have gone beyond what I normally would do with scripts. I have spent a long time
researching algorithms and encryption and I am pretty sure this script is secure. I had a
little play with SQL-Injection but I don't know all that much about it. If anyone else
could try it some time I would be grateful.

I WOULD REALLY APPRECIATE YOU TO TRY AND FIND SECURITY FAULTS WITH THE SCRIPT. BOMBARD IT
WITH EVERYTHING TO SEE HOW SECURE IT REALLY IS. I EXPECT A FEW REVISIONS BEFORE YOU CAN ALL
AGREE IT TOTALLY IS SECURE AS A PHP SCRIPT CAN GET.

Security Note
______________________________________________

Its all well and good having a secure authentication script but you also need to ensure
that stored passwords are secured. X-Protection makes extensive use of the sha1 function
to hash passwords stored in a database. The hashed password is written into the session
instead of the database one.

I recommend that you do not store user passwords plainly in the database but encrypt/hash
them. While this may not entirely prevent an attacker from obtaining the password it
certainly makes it more difficult.

One of the bad ideas people have is hashing a hash, e.g.:

md5 (md5 ($str)); or sha1 (md5 ($str)); or sha1 (sha1 ($str));

On the face of it, it seems a good idea however in reality your increasing the chance of a
collision, which would dramatically reduce the security. Therefore in config.php is a
variable, $useencryption. Only set this to 1 if passwords stored in your database aren't
hashed or encrypted, otherwise collisions may occur. If they are, then set it to 0.

The main reason for using the sha1 function is because collisions aren't quite as bad as
md5's and also because, when I wrote the script it hadn't been broken. However I have read
a recent article (dated 15th February 2005) that claims sha1 has been broken, as of yet I
believe this is yet to be confirmed.

Also employed throughout the script is the use of '@' before the include function. This
hides error messages generated by the function so potentially stops an attacker from
finding out information about the source code. While these are only little things, if they
are ignored then they all help an attacker.

The script uses sessions where the username, encrypted password and userlevel are stored.
Cookies weren't used since they comprimise security greatly since attackers can easily
get to them. With sessions, they are stored on the server and expire when the user closes
his/her browser or after the time specified by php.ini on the server.

Often insecure scripts come from insecure data handling so make sure you do your bit.

Why choose this?
______________________________________________

The script, while being secure, has highly useful features that are required for anyone:

* Userlevels allow you to control what type of user has access to your pages.
* Encryption using sha1 keeps passwords safe and secure.
* Sessions ensure that users don't have to keep logging in.
* Can be used with existing MySQL databases.
* The script has been made with security a high priority.
* A fully customisable single login page.

Install
______________________________________________

1. Open and edit config.php (instructions included with file).

2. Upload all your files to your required webserver.

3. The script makes use of userlevels. For those of you who don't know what a userlevel is,
they are numbers which link users together. For example users with a userlevel of 1 might
all be administrators of the website whereas users with a level of 3 might be members of
the site. Obviously there would be parts of the site where only administrators could visit.

To start protecting files include the following at the top of your page:

For any user to access a page:
<?php $allow = array ();include ("protect.php"); ?>

For users with a userlevel of 3 to access the page:
<?php $allow = array ('3');include ("protect.php"); ?>

For users with a userlevel of 4 to access the page:
<?php $allow = array ('4');include ("protect.php"); ?>

For users with a userlevel of 3 or 4 to access the page:
<?php $allow = array ('3', '4');include ("protect.php"); ?>

For users with a userlevel of 1, 2, 3, 5 to access the page:
<?php $allow = array ('1', '2', '3', '5');include ("protect.php"); ?>

4. Included with X-Protection is an examples folder. This is a mini site which is protected
by passwords and userlevels. Instructions are provided with it but to set it up:

1. Edit $host, $user, $pass and $database as the instructions in the file say
to do so.

2. Open examples/install/install.php to setup the database. You will then be taken
to the mini site.

Contact Us
______________________________________________

As always please tell us what you think. Good or bad, your opinions shape the way we
produce scripts. Email us at xscripts@f2s.com with X-Protection in the subject line.

Copyright
______________________________________________

All scripts copyright of X-Scripts 2003 - 2005. If you edit my scripts please credit me
after all it was my hard work in the first place. Also please review me at hotscripts.com
so other users can see my work - http://www.hotscripts.com/Detailed/44885.html?RID=388
 
Als ik het zo lees moet je op elke pagina die je beveiligd wil hebben deze code bovenaan zetten:

PHP: 
//In de array zet je het userlevel dat toegang heeft

//Deze is voor iedereen zichtbaar
<?php $allow = array ();include ("protect.php"); ?>
//Deze alleen voor leden met userlevel 3
<?php $allow = array ('3');include ("protect.php"); ?>

//Deze voor leden met userlevel 3 of 4
For users with a userlevel of 3 or 4 to access the page:
<?php $allow = array ('3', '4');include ("protect.php"); ?>

Daarnaast is het nog iets met een mapje wat ik niet helemaal snap. Je moet $path toewijzen en ik denk dat de bestanden in die map moeten zitten. Dus als jij een map maakt http://www.site.nl/beveiligd, je zet hier de bestanden in met de bovenstaande code aan het begin en je zet bij $path
PHP: 
$path = "http://www.site.nl/beveiligd";
ze dan beveiligd zijn...
 
Ik heb alles dat in de readme staat goed gedaan, daar ben ik zeker van.

Bij het script werd een ''example minisite'' geleverd die ik ook heb geinstalleerd om alles te testen.. probeer het zelf maar:

http://dimitri-korsakov.com/examples/

config.php voor deze minisite
PHP: 
<?php

// Database and Server Values
$host = 'localhost'; // Name of server you are on (e.g. localhost)
$user = 'crankyslap_xpro'; // Your Server Username	
$pass = 'xpro'; // Your Server Password
$db = 'crankyslap_xpro'; // Database to be created or name of existing database (Please note: Database containing dashes cannot be created)

// Table Values
$table = 'users'; // The name of the table where the username & password are
$username = 'username'; // The name of the username field
$password = 'password'; // The name of the password field
$userlevel = 'userlevel'; // The name of the userlevel field (if no field exists just create one & leave it blank)
//

// Paths
$path = "http://dimitri-korsakov.com/examples"; // Path to X-Protection folder on the server (e.g http://www.myhost.com/x-protection). Don't include the final slash
$logout = "http://dimitri-korsakov.com/examples/index.php"; // Path to the webpage users go to when logged out
//

// Connect Information - No need to edit
$link = mysql_connect ($host, $user, $pass);
mysql_select_db ($db);
//

?>
 
Laatst bewerkt:
Ik heb hem even local getest en hij werkt bij mij wel...

index.php (Voor het controleren aangemaakt, in principe kun je een willekeurige pagina aanmaken met dezelfde inhoud)
PHP: 
<?php $allow = array ('3');include ("protect.php"); ?> 

blablablablalbalblablbal gelukt
config.php
PHP: 
<?php

// Database and Server Values
$host = 'localhost'; // Name of server you are on (e.g. localhost)
$user = 'root'; // Your Server Username	
$pass = ''; // Your Server Password
$database = 'protected'; // Database Name where the user details are

// Table Values
$table = 'users'; // The name of the database table where the username & password are
$username = 'username'; // The name of the username field in the table
$password = 'password'; // The name of the password field in the table
$userlevel = 'userlevel'; // The name of the userlevel field (leave blank (i.e. $userlevel = '') if it is not important
//

// Paths
$path = "http://localhost:8080/beveiligd"; // Path to X-Protection folder on the server (e.g [url]http://www.myhost.com/x-protection)[/url]. Don't include the final slash
$logout = "http://localhost:8080/beveiligd/index.php"; // Path to the webpage users go to when logged out
//

// Connect Information - No need to edit
$link = mysql_connect ($host, $user, $pass);
mysql_select_db ($database);
//
?>
protect.php
PHP: 
<?php

session_start ();

// --------------------------------THE VARIABLES---------------------------------- //

@include ("config.php");

// ----------------------------------THE CODE ------------------------------------ //

function clearance ($user_value, $pass_value, $level_value, $userlevel_value, $table_value, $column1, $column2, $path) { // Function to see if user can login
	
	$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE $column1='$user_value' AND $column2='$pass_value'"); // Query to see if user exists
	
	$verify = mysql_num_rows ($check);
	
	if ($verify == 0) { // Check if passwords are hashed with MD5
	
		$md5 = md5 ($pass_value);
	
		$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE $column1='$user_value' AND $column2='$md5'"); // Query to see if user exists
	
		$verify = mysql_num_rows ($check);
		
	}
	
	if ($verify == 0) { // Check if passwords are hashed with SHA1
	
		$sha1 = sha1 ($pass_value);
	
		$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE $column1='$user_value' AND $column2='$sha1'"); // Query to see if user exists
	
		$verify = mysql_num_rows ($check);
		
	}
	
	$get = mysql_fetch_array ($check);
	
	if (count ($level_value) != 0) { // If the allow array contains userlevels
		
		if (in_array ($get[$userlevel_value], $level_value) && $verify > 0) { // Search allow to see if userlevels match
			
			$_SESSION['username'] = $user_value; // Register sessions
			$_SESSION['password'] = sha1 ($pass_value); // sha1 password for extra security
			$_SESSION['userlevel'] = $get[$userlevel_value];
				
		}
		
	} else {
	
		if ($verify == 0) { // If attempt fails then redirect to login page
	
			$_SESSION = array();
			
			$error = "Sorry but your login details were incorrect";
			
			@include ("login.php");
			
			exit;
		
		}
		
		if ($verify > 0) { // If attempt is good then register the user
	
			$_SESSION['username'] = $user_value;
			$_SESSION['password'] = sha1 ($pass_value);
		
		}
		
	}
	
}

function protect ($level_value, $password_value, $userlevel_value, $table_value, $column1, $path) { // Function to keep pages secure

	if (!isset ($_SESSION['username'])) { // If session doesn't exist then get user to login
	
		if (isset ($_POST['username']) && isset ($_POST['password'])) {
		
			$error = "Sorry but your login details were incorrect";
		
		}
		
		$_SESSION = array();
		
		@include ("login.php");
		
		exit;
		
	} else { // If user is logged in check to see if session is valid and that they have the required userlevel
	
		$check = mysql_query ("SELECT $password_value, $userlevel_value FROM $table_value WHERE $column1='$_SESSION[username]'"); // Query to see if user exists
		
		$verify = mysql_num_rows ($check);
		
		$get = mysql_fetch_array ($check);
		
		if ($verify == 0) {
		
			$_SESSION = array();
				
			$error = "Sorry but your login details were incorrect";
				
			@include ("login.php");
				
			exit;
			
		}
		
		if ($verify > 0 && count ($level_value) != 0) {
				
			if (!in_array ($get[$userlevel_value], $level_value)) { // Check to see if the users userlevel allows them to view the page
				
				$error = "Sorry but your login details were incorrect";
					
				@include ("login.php");
					
				exit; // Ensure no other data is sent
				
			}
				
		}	
	
	}
	
}

if (isset ($_POST['username']) && isset ($_POST['password'])) { // If user submits login information then validate it

	clearance ($_POST['username'], $_POST['password'], $allow, $userlevel, $table, $username, $password, $path);
	
}

protect ($allow, $password, $userlevel, $table, $username, $path);

mysql_close ($link); // Close the database connection for security reasons

// -----------------------------------THE END ------------------------------------ //

?>
 
Waarschijnlijk is het dan een instelling van jouw webserver :(

Je kunt het zeker weten door even local een webserver te draaien en het script daarop installeren. Zelf start ik gauw even USB webserver op, die heeft alle functies die ik nodig heb (Dus ook PHPMyAdmin :) )
 
Lijkt me wel een beetje appart aangezien phpbb forums wel gewoon de users onthouden maargoed.. ik zal die local server eens proberen met XAMPP en als dat niet werkt toch eens kijken waar ik iets fout doe...
 
Het ligt inderdaad aan de server want lokaal werkt het wel :(

Misschien een ander script proberen dan maar...

EDIT: Ik gebruik nu een ander script dat wel werkt :D
 
Laatst bewerkt:
Status
Niet open voor verdere reacties.
Steun Ons

Nieuwste berichten

Terug
Bovenaan Onderaan