Member Avatar for CarterLangley

Hi guys,

I really need some help here. I have been tasked to do a secure login system for the charities website. I have been looking on the web, and sure there are a multitude of examples out there. But my problem is the police, ambulance, NHS, etc are going to be logging in. So I need a system that is pretty damn secure and does not use cookies. The information that is going to be secured is personally identifiable information for members of the charity and this is making me extremly nervous. I have never used PHP before, so have absolutely no idea what I am doing and copying and pasting of code is probably going to leave me way open. So, if someone out there can please help me through this I would be extremly gratefull. I have no problem with giving you credit on the page/s involved. But I need some help here please! Joe public should not be able to register an account either, so I am going to need to be able to control who is applying for registration. I have also been informed that they don't want email activation links sent to them either!

  • 3 Contributors
  • 3 Replies
  • 232 Views
  • 2 Years Discussion Span
  • Latest Post Latest Post by MikeJones_1
Member Avatar for veedeoo

Hi,

Just for the sake of curiousity, why they don't want cookie? You can make cookie's lifetime until the session is unset. Before jumping into this project, make sure you have the general understanding in vulnerabilities of both and not having either one. Please read more about session fixiation, and how to implement session and cookie at the same time. You can read more about security here

Going back to the log in script, there are many of them out there, but I always recommend something that is still a barebone.. Why? Because, you want to see all the codes and able to view, analyze to make sure there is nothing malicious script inserted to steal some of your user's important data. Sometimes starter script is all we need to get going.

Copying and pasting is good at times, but only if you are just using it to use existing functions rather than writing it yourself.

Here is a very simple login script , you can start with this script and you build on it. I strongly suggests to use smarty templating system for this. This will add a little protection too.

I was thinking of recommending Ignitier or Cake, but the learning process is pretty lengthy.

I will attempt to help you with the smarty templating conversion of your final script, BUT not until I am finished with my project. I was asked to write video class script for google/Youtube API based on the latest PHP version, so I am pretty busy right now.

I will watch this thread.. to see your improvements, and we will just do the corrections as the project progresses..

Edited by veedeoo because: more info added
Member Avatar for CarterLangley

OK, got a login system working for now. Just need to look at putting in some kind of verification in the database that will give me different levels so if someone logs in and they have a level of 1 they will go to a certain page, a level of 2 they will go to another page. But for now accounts can be created and people can login. I presume that if I want, I can use the session to see what level people are and then redirect them to the correct page once they have been authenticated. Or something similar.

Here is the code that logs them in.

<?php
}
else
{
  $user = protect($_POST['username']);
  $pass = protect($_POST['password']);

if($user && $pass)
{
$pass = md5($pass); //compare the encrypted password
$sql="SELECT id,username FROM `users` WHERE `username`='$user' AND `password`='$pass'";
$query=mysql_query($sql) or die(mysql_error());

    if(mysql_num_rows($query) == 1)
    {
      $row = mysql_fetch_assoc($query); // mysql_fetch_assoc gets the value for each field in the row
      $_SESSION['id'] = $row['id']; //creates the first session var
      $_SESSION['username'] = $row['username']; // second session var

      echo "<script type=\"text/javascript\">window.location=\"admin.php\"</script>";
    }
    else
   {
    echo "<script type=\"text/javascript\">
    alert(\"Username and password combination is incorrect!\");
    window.location=\"login.php\"</script>";
    }   
}
else
{           
    echo "<script type=\"text/javascript\">
    alert(\"You need to gimme a username AND password!!\");
    window.location=\"login.php\"</script>";
}
}
?>

Where the session var's are created, can I put a third one in there and then based on that redirect to a certain page?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.