SecureSlash

Form Design:

<form id=”form1″ name=”form1″ method=”post” action=”login.php”>
<table width=”300″ border=”0″>
<tr>
<td>Username</td>
<td><input type=”text” name=”username_field” /></td>
</tr>
<tr>
<td>Password</td>
<td><input type=”text” name=”password_field” /></td>
</tr>
<tr>
<td> </td>
<td><input type=”submit” name=”login” value=”Login” /></td>
</tr>
</table>
</form>

Save it as “form.html”

<?php
session_start(); #3
include(‘config.php’); //Listen #1
$username = $_POST[‘username_field’];
$password = $_POST[‘password_field’];
if(($username == $user) && ($password == $pass))
{
$hash = md5($pass); //Listen #2
$_SESSION[‘hash’] = $hash;
echo(“Welcome $username<br>”);
}
else
echo(“Incorrect username/password<br>”);
?>

Save it as “login.php”

Listen #
#1: We are just including one php script within this login.php.
Let us say config.php looks like below:

<?php
//Configuration settings
$user = “rob”;
$pass=”p123”;
?>

#2: This is the main code in login.php
md5(); is a function which generates hash code for given value.
We are assigning the hash value of $pass in to a session variable.

#3:
session_start(); we have to start the session in every page where ever we use session variables. It should be very first code of the script before producing any output.
For example:

<?php
echo(“First line”);
session_start();
—-
—
?>
This will produce an error. So it should be like

<?php
session_start();
echo():
?>
<html>
<head>
<title>title</title>
</head>
<body>
Html codes
</body>
</html>
<?php
echo(“last line”);
?>

Why we need Session variables?

Let us say, you are going to develop an admin panel or user area. We need to allow authorized users only in some pages. So we must check his authority at any time. We cannt put form every where to get username and password from user. We are getting username and password only once from user and keeping his identity in login.php and other scripts. So we are storing the hash value of his password in a session variable and checking it in all pages. Seems confusing? Ok see this example it may help.

<?php
session_start();
//Account Area
include(‘config.php’);
if($_SESSION[‘hash’] == (md5($pass)))
{
echo(“Welcome $user”);

}
else
{
echo(“You are not authorized to visit this page!”);
} ?>
Why we are checking hash instead of original password? Because there are some security problem with php register globals setting. This method is some what secured with session variables.There is a problem with this script. Can you guess? Yes this will stuck if any two of users having same password. Yes there is no chance for duplicate username. But there is many chances for duplicate passwords. So what is the solution? Yes we have to store the hash of username in a session variable and have to check it in everywhere.
Like below:

If(($_SESSION[‘username_hash’] == (md5($user))) && ($_SESSION[‘password_hash’] == (md5($pass))))
{
}

Sounds good? We are just getting username and password from a config file (config.php) you can manipulate this mechanism by retrieving username/password from database tables.