![[Release] Basic Secured Login Form - PHP](https://www.elitepvpers.com/forum/iconimages/shaiya-pserver-guides-releases/release-basic-secured-login-form-php_ltr.gif){kind=small}
NOTE - This uses ODBC Drivers and my released security for SQL login in Xampp/Apache servers found here....
Lets begin ...
1. Basic Configuration
A. Protecting pages
This bit of script needs to be added to the top of all pages you wish the login to protect. It is located on the demo Index.php page
Change the header("Location: url/to/page.php") url to match your needs if this is not in the parent folder.(This is required for this script and the login page script if the url is changed)
B. Set allowed users
This is remarkably easy to do. Open the login.php page in any text editor or web development software. Near the top, locate the variable $accepted_status="16,32";. Now all you do is add or remove the wanted status numbers separating them with a comma. To enable all non-banned users just remove the // comment before the example and add it to the active variable.
login.php script example...
C. Logout buttons
These can be placed anywhere on your pages. It only requires a url link with the url ?logout=true. An example of this as a button is shown on the Index.php and can be copy/pasted to any page within the protected pages you like.
2. Troubleshooting
Unable to locate file error
To fix this just edit the url given in all the header() calls to match the location you placed the files or wish to send users for logout/login
SQL Server Errors
This honestly should never occur unless the SQL login in the db_connect.php file is wrong. The login check function contained either returns true or false depending if the status is found to be within the allowed status provided and the user/pass given both match. Failure on any of these will fail the login attempt and simply return false.
I hope you all enjoy this little release and use it at least as a template to help secure your scripts. I use the same type of method for securing my own pages.
[NOTE]
RealChew -
Let me get this straight. The name of the release doesnt explain its basic or do you not understand the idea of what usage of basic php functions are? Lets look at the title of the release again shall we....Quote:
It's important to secure the sessions, it's possible to steal a session without logging.
Client-side, a session is just a cookie, if the value of the cookie is stolen and there is no verification, a simple visitor can steal a GM's session.
I think, a verification function is missing, like a md5 or sha1 of the User Agent, the UserID and an uniqid() stored in a database with a comparison of the 2 values (cookie and the value stored) added at the top on all pages, example :
Code:
if ($_SESSION['loggedIn'] !== "true") {
header("Location: ./login.php");
exit();
} else {
verif_session($sessionValue, $userId);
}
[Release] Basic Secured Login Form - PHP
Read into session theft and see that MD5 and other methods of encrypting session ID's require a lot more than just a fast SQL check to secure the session completely and actually takes this into a session security thread and not a basic login release as stated. On the other hand, SQL can do NOTHING to secure sessions. Its data storage so it doesnt actually do anything itself that would prevent web hijacking. The function or check would need constructed in php alone without SQL. Since session security is not the aim of this post i would recommend you make a new thread with some security tips for securing various areas of php rather than post your off topic ideas on improvements to a release that is exactly what it claims to be. A session, any kind, can be stolen. This means even the encrypted one can be hijacked and used meaning it would take a lot more than a simple function in php and to identify attackers and prevent them from visiting. Since this is a BASIC release it doesnt include the advanced security. You are more than welcome to release an advance login form but i ask you rethink your trolling a lil to realize what lvl the script is released at and if the releasing person is aware of what they are releasing.
.
