Hi everyone. In this tutorial I will tech you how to make a PHP login form using sessions. You will need four files, one named form.php, one named login.php, another named auth.inc and the last named protected.php

NB these names can be changed at your will, but make sure you rename them throughout the tutorial.

Step 1)
Open a blank document in Notepad and type the following:

Listing 1.1 – form.php
<html>
<head>
<title>Login Form</title>
</head>

<body>
<form method="post" action="login.php">
Username: <input type="text" name="username" />

Password: <input type="password" name="password" />

<input type="submit" value="Login" />

</form>
</body>
</html>

Save this file as form.php.

Here we have set up a simple form that will pass submitted information onto the file login.php.


GET A FREE HOSTING AND FREE DOMAIN NOW. It is absolutely free
[url]http://affiliate.doteasy.com/index.cfm?M=red&B=5&T=729826&A=damisco87][/url]



Step 2)
Now open a second blank document in Notepad and enter the following:

Listing 2.1 – login.php
<?php

session_start();

$passwords = array("harry" => "dirtyharry",
"george" => "gorgieboy01",
"bob" => "bigbobby",
"jack" => "jackthelad";

if (!$_POST["username"] or !$_POST["password"]) {
echo "Please enter your username and password.";
exit;
}

if ($_POST["password"] == $passwords[$_POST["username"]]) {
echo "Login successful!";
$_SESSION["auth_username"] = $_POST["username"];
}
else {
echo "Login incorrect, please try again.";
}

?>
<html>
<head>
<title>Login</title>
</head>

<body>
Content in here will only be shown if the username and password supplied are correct.
</body>
</html>

Save this file as login.php.

Notice the php script comes before even the <html> tags. This ensures that the php is executed before the page gets rendered, so if the credentials were wrong the offender cannot see anything protected.

Basically here we tell the browser to start a session to store usernames and passwords in. We then set up an array called passwords which contains a list of usernames and respective passwords, from Harry to Jack.

The next part of the script checks inequality between the submitted credentials and the known credentials. The exclamation mark means “Does not equal”. If the credentials are indeed false/incorrect the script will display the message “Please enter your username and password.” One the users screen. The exit; function stops the script from continuing as soon as incorrect details are given.

The following section of the script checks for equality inequality between the submitted credentials and the known credentials. The double equals checks for equality, whereas a single equals assigns a value to a variable. If the credentials are correct the script displays "Login successful!" on the users screen. Then a session is started called “auth_username”. This allows the browser to remember whether or not a user is logged in, which means that they will not have to login again on a different page.

The final part of the php covers all other eventualities and displays "Login incorrect, please try again." to the user.

The rest of the page is shown below, between the <html> tags. The message between the <body> tags will not be visible unless the user is logged in.

Step 3)
You have pretty much finished creating a php secure login, but to illustrate the functionality of sessions, you may want to continue through Step 3.

Open your third document in notepad and type the following:

Listing 3.1 – auth.inc
<?php
session_start();
if (!isset($_SESSION["auth_username"])) {
echo "You must be logged in to view this page";
exit;
}
else {
echo "Hello, you're logged in!";
}

?>

auth.inc stores the information related to your session. You could type the above in every document, but it would become cumbersome and annoying. By including it using php you only need type it once and pull it in using the include function, as shown below.

The final script, protected.php, will be an arbitrary page that you wish to secure.

Listing 3.2 – protected.php
<?php

include "auth.inc";

?>
<html>
<head>
<title>Protected Page </title>
</head>

<body>
Content in here will only be shown if the username and password supplied are correct.
</body>
</html>

This script simply includes auth.inc at the very beginning. The placement of the script is essential to allowing the script to function properly. This will run the script typed in Listing 3.1, and will verify the credentials of the user. If they are legitimate the page will continue, displaying everything between the <body> tags, otherwise it will terminate, displaying only “You must be logged in to view this page.”
If you want to protect any further pages you simply need to add the include function at the very top of every page.

P.S. This script is not intended for protection of highly confidential documents, but rather for client extranets etc.




check out my blog
http://damisco87..com
http://damisco87.

@Poster

Kudos to your effort. I think your Login form needs to be more protected than what you already have.

@poster,

To make this post even more interesting, please add a "remember me" feature to your login script

Go on, we are all ears. Mind you if you are stuck i can be of help 'cos i have done this several times before.

And as for login security, i suspect you need to write a small snippet to make sure the script submitting to the verification script is from the same server, i am talking about the http post referer - i assume you grab that

please i want you teach me some trick on php
my name is chris fasa

Did u actually tried dat nd it worked? I didn't, just curious.
By d way, talking about a more flexible approach with usernames/passwords stored in database other than an array will be better.

So which is better, storing login information in database or in array, which is a better option? For me, I prefer using DB for this. What about you, what do you think?

Storing in an array isnt much of a real world instance. What happens every time you want to add more or modify the usernames/password? Go back and edit the codes? And since we are talking of a login page I believe there are users involved. That means for 1000 members, an array of 1000 key/values must be created?

I though dbase info can be translated into array during processing and changes saved back into arrays when their is a modification?

@dhtml
Sure. D array can be populated from a db but why d performance overhead? Y not validate directly from d db?

The standard thing is to validate from dbase, why did array come in. THe time we used to validate from arrays exclusively was when perl was still in use, and that was about 10 years ago, and very old school, pointless to discuss that here.

Best thing, do your validation by running your mysql query with php against a table containing username / password. ditto.

<a href='http://www.openminds.co.il/%D7%A2%D7%91%D7%95%D7%93%D7%94_%D7%91%D7%97%D7%95_%D7%9C/'>עבודה בחו ל</a>
<a href='http://www.flyshop.co.il/%D7%A6%D7%99%D7%95%D7%93/%D7%91%D7%99%D7%A9%D7%95%D7%9C%20%D7%91%D7%A9%D7%98%D7%97/%D7%90%D7%91%D7%9F%20%D7%A9%D7%9E%D7%95%D7%98%20%D7%9C%D7%90%D7%A4%D7%99%D7%99%D7%AA%20%D7%A4%D7%99%D7%A6%D7%94%20%D7%90%D7%95%20%D7%A4%D7%95%D7%A7%D7%A6%27%D7%94%20%D7%91%D7%AA%D7%A0%D7%95%D7%A8%2038X34_105-3'>אבן שמוט</a>

חברות <h3><a href='http://www.seo-champion.co.il'>קידום אתרים</a></h3> ומהווים תת-תחום של שיווק באינטרנט.
<a href='http://www.seolance.co.il'>קידום אתרים בגוגל</a>
<a href="http://www.hovalatova.org">הובלות</a>

<a href="http://www.mpfvoa.org" target="_blank">ויאגרה</a>
<a href="http://www.mpfvoa.org" target="_blank">קניית ויאגרה</a>

<a href="http://www.hovalatova.org">הובלות</a>

you have to upgrade your program very well. thanks for your info here

<a href="http://www.seolance.co.il">קידום אתרים בגוגל</a>
<a href="http://www.seo-champion.co.il">קידום אתרים</a>

<a href="
https://www.youtube.com/watch?v=FeSvxV-iEys">ביטוח ישיר</a>


<a href="
https://www.youtube.com/watch?v=panaCAqtS_4">אזעקה</a>

<a href="
https://www.youtube.com/watch?v=SO4T3zN4Jrc">אמריקן לייזר</a>