Hey, ik heb zojuist een script geinstalleerd op mijn websites zodat gebruikers moeten inloggen om bepaalde pagina's te kunnen bezoeken. Dit gebeurt via een MYSQL database. Nu gaat het aanmaken van accounts en inloggen prima, alleen gebruikers kunnen eenmaal de pagina bezoeken en als ze dan naar een andere beveiligde pagina gaan (of dezelfde) moeten ze weer opnieuw inloggen. Waarom worden de ingelogde gebruikers niet onthouden?
login.php
protect.php
config.php
login.php
PHP:
<div align="center" class="text"><?php if (isset ($error)) { echo $error; } ?></div><br>
<form action="<?= $_SERVER['PHP_SELF']; ?>" method="post" name="frmLogin">
<div align="center">
<table width="50%" border="0" cellpadding="2" cellspacing="0" class="border">
<tr class="text">
<td width="25%" align="right">Username:</td>
<td height="25" align="center"><input name="username" type="text" class="text" id="username" size="50"></td>
</tr>
<tr class="text">
<td align="right">Password:</td>
<td height="25" align="center"><input name="password" type="password" class="text" id="password" size="50"></td>
</tr>
<tr align="center">
<td height="25" colspan="2"><input name="Submit" type="submit" class="text" value="Login"></td>
</tr>
</table>
</div>
</form>
protect.php
PHP:
<?php
session_start ();
// --------------------------------THE VARIABLES---------------------------------- //
@include ("config.php");
// ----------------------------------THE CODE ------------------------------------ //
function clearance ($user_value, $pass_value, $level_value, $userlevel_value, $table_value, $column1, $column2, $path) { // Function to see if user can login
$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE username='$user_value' AND password='$pass_value'"); // Query to see if user exists
$verify = mysql_num_rows ($check);
if ($verify == 0) { // Check if passwords are hashed with MD5
$md5 = md5 ($pass_value);
$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE username='$user_value' AND password='$md5'"); // Query to see if user exists
$verify = mysql_num_rows ($check);
}
if ($verify == 0) { // Check if passwords are hashed with SHA1
$sha1 = sha1 ($pass_value);
$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE username='$user_value' AND password='$sha1'"); // Query to see if user exists
$verify = mysql_num_rows ($check);
}
$get = mysql_fetch_array ($check);
if (count ($level_value) != 0) { // If the allow array contains userlevels
if (in_array ($get[$userlevel_value], $level_value) && $verify > 0) { // Search allow to see if userlevels match
$_SESSION['username'] = $user_value; // Register sessions
$_SESSION['password'] = sha1 ($pass_value); // sha1 password for extra security
$_SESSION['userlevel'] = $get[$userlevel_value];
}
} else {
if ($verify == 0) { // If attempt fails then redirect to login page
$_SESSION = array();
$error = "Sorry but your login details were incorrect";
@include ("login.php");
exit;
}
if ($verify > 0) { // If attempt is good then register the user
$_SESSION['username'] = $user_value;
$_SESSION['password'] = sha1 ($pass_value);
}
}
}
function protect ($level_value, $password_value, $userlevel_value, $table_value, $column1, $path) { // Function to keep pages secure
if (!isset ($_SESSION['username'])) { // If session doesn't exist then get user to login
if (isset ($_POST['username']) && isset ($_POST['password'])) {
$error = "Sorry but your login details were incorrect";
}
$_SESSION = array();
@include ("login.php");
exit;
} else { // If user is logged in check to see if session is valid and that they have the required userlevel
$check = mysql_query ("SELECT $password_value, $userlevel_value FROM $table_value WHERE $column1='$_SESSION[username]'"); // Query to see if user exists
$verify = mysql_num_rows ($check);
$get = mysql_fetch_array ($check);
if ($verify == 0) {
$_SESSION = array();
$error = "Sorry but your login details were incorrect";
@include ("login.php");
exit;
}
if ($verify > 0 && count ($level_value) != 0) {
if (!in_array ($get[$userlevel_value], $level_value)) { // Check to see if the users userlevel allows them to view the page
$error = "Sorry but your login details were incorrect";
@include ("login.php");
exit; // Ensure no other data is sent
}
}
}
}
if (isset ($_POST['username']) && isset ($_POST['password'])) { // If user submits login information then validate it
clearance ($_POST['username'], $_POST['password'], $allow, $userlevel, $table, $username, $password, $path);
}
protect ($allow, $password, $userlevel, $table, $username, $path);
mysql_close ($link); // Close the database connection for security reasons
// -----------------------------------THE END ------------------------------------ //
?>
config.php
PHP:
<?php
// Database and Server Values
// Hier staan mijn databse gegevens
// Table Values
$table = 'users'; // The name of the database table where the username & password are
$username = 'username'; // The name of the username field in the table
$password = 'password'; // The name of the password field in the table
$userlevel = 'userlevel'; // The name of the userlevel field (leave blank (i.e. $userlevel = '') if it is not important
//
// Paths
$path = "http://dimitri-korsakov.com/x-protection"; // Path to X-Protection folder on the server (e.g http://www.myhost.com/x-protection). Don't include the final slash
$logout = "http://dimitri-korsakov.com/index.php"; // Path to the webpage users go to when logged out
//
// Connect Information - No need to edit
$link = mysql_connect ($host, $user, $pass);
mysql_select_db ($database);
//
?>