«

[Kon-Tiki]

Got three questions this time.

1) How can I make it so that an admin has to log in, but only once, until they log out? I don't think cookies're pretty safe, and right now, every time you submit something on a form, it asks to log in again.

2) How can I spread the login session over multiple files, so I don't have to stuff everything into one huge file, but so that people can't just go to their URL and use the stuff in there?

3) In my database, the passwords're encrypted by choosing the Password function (using PHPMyadmin) Is there any way to do that with the user-submitted passwords as well? Comparing the two gives untrue between an encrypted and an unencrypted string, which's a bit of a problem.

[Kon-Tiki]

Some problems apparently'll be solved by using sessions. Those're going weird, though. Got some problems with them.

1) The session-id changed with each page-load.
2) It nags.


1) This's how my session starts:

Code:

session_start();
$session_id = session_id();
session_register("id");

At first, I didn't use a session_register()-function on $session_id. Adding it didn't have any effect, as it apparently keeps recreating the session. I'll be checking for if($session_id == NULL) to do the session_start(), but I don't think that'll fully get it to work.

2) It says this:

Code:

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\Web1\Eindoef\admin.php:9) in C:\xampp\htdocs\Web1\Eindoef\login.php on line 9

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\xampp\htdocs\Web1\Eindoef\admin.php:9) in C:\xampp\htdocs\Web1\Eindoef\login.php on line 9

The first 11 lines of login.php are this:

Code:

<html>
<head>
</head>

<body>
<?php * 


session_start();
$session_id = session_id();
session_register("id");

The ninth line is session_start(); I don't know why it nags, nor how to solve it, but it sure disrupts my page.

[Reup]

You MUST put the session_start() as the first thing in your file. THis has to be sent before any headers. As soon as you leave a single empty line or a HTML tag in front of it, you'll get the 'headers allready sent' error!

Edit: and you can use the supergloblal $_SESSION['varname'] to store and retreive stuff in your session variable!

[Kon-Tiki]

Aye, that takes care of that, and the session ID stays consistent now. Thanks

[Data]

3)
you have to compare 2 encrypted passwords together.
I think you can do a mysql query which gives an encrypted password.
password(whatever) or something like that

[Reup]

You could also use the php-function crypt() to accomplish one-way encryption.

[Kon-Tiki]

The crypt()-function encrypts in a different way. As for the password... I put an unencrypted one in for testing purposes, but the query's not working properly.

Code:

Session-ID: f638205c9db7afdecdd9e9e1eda8e1d0
Login: kak
Logged in:

That's what I get after filling in username and password. My code's this:

Code:

<?php session_start();
$session_id = session_id();
session_register("id");
 ?>

<html>
<body>
<?php	
include_once("connection.php");

$paswrd = $_POST["paswrd"];
$login = $_POST["login"];

$SQL_query = "SELECT count(Naam) FROM webmasters WHERE Naam = $login AND Paswoord = $paswrd";
$logged_in = mysql_query($SQL_query, $db_connection);
session_register("logged_in");
$test = $_SESSION["logged_in"];

echo "<br><br>Session-ID: ", $session_id, "<br>Login: ", $login, "<br>Logged in: ", $test, "<br><br>";

echo "<div class='content'><div class='sub_content_noscroll'><table>
<form method='post' action='admin.php' name='frmLogin'>
 *<tr><td>Login: </td><td><input type='text' name='login' /></td></tr>
 *<tr><td>Paswoord: </td><td><input type='password' name='paswrd' /></td></tr>
 *<tr><td><input type='submit' name='submit' value='Log in' /></td></tr>
</form>
</table></div></div>";

?>
</body>
</html>

I don't see what's wrong with this.

[Reup]

This should work if the password is in the db in plain text. If it's encrypted you're not going to get any results from the query. That is why crypt could be handy. You store the passwords in the db with crypt and check it against the crypted entered password. This way you won't be able to get the password from the db, 'cause only the crypted version is ever stored.
I don't really know how to use the MySQL encrpytion in PHP, but from the docs i gather you should be able to create the following query:

SELECT * FROM table WHERE login = '$login' AND password = ENCRYPT('$password')

There are a couple of encrypt/decrypt function you can use in a query: check the documentation!

Edit: mofo typos

[plix]

I don't have the time to fill out a full reply at the moment (I'll reply fully later), but a few immediate notes.

Sessions either use cookies or embed themselves in the URL. That is to say, cookies are all you really have since session-ids-in-the-url are even more insecure. I'll cover a few things about using secure cookies when I get back.

crypt and MySQL's password() are both rather insecure, as is md5. Use PHP's SHA1 (or higher if you have the mcrypt/mhash extensions available). Make the MySQL row a varchar and add the hashed version of the password to the database. Then, when logging in, make sure that $pass_from_db == sha1($submitted_pass).

[Kon-Tiki]

Well, I got one login in my database where I didn't encrypt the password for. That one's the one I've been using for these testings, and even that didn't work.