PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY 2. When a session times out, just dumping a user unceremoniously back at the login screen isn t very friendly, so it s a good idea to explain what s happened. Scroll down to the main body of the page, and add the code highlighted in bold: $error

“; } elseif (isset($_GET[’expired’])) { ?>

Your session has expired. Please log in again.

The message is shown if the URL contains a variable called expired in a query string. 3. Open menu.php, and amend the PHP code above the DOCTYPE declaration like this: $_SESSION[’start’] + $timelimit) { // empty the $_SESSION array $_SESSION = array(); // invalidate the session cookie if (isset($_COOKIE[session_name()])) { setcookie(session_name(), ‘’, time()-86400, ‘/’); } // end session and redirect with query string session_destroy(); header(”Location: {$redirect}?expired=yes”); exit; } // if it’s got this far, it’s OK, so update start time else { $_SESSION[’start’] = time(); } ?>
In case you need quality webspace to host and run your web applications, try our personal web hosting services.

PAGES THAT REMEMBER: SIMPLE LOGIN AND MULTIPAGE FORMS 3. Save login.php and test it. It should work the same as before, but be more secure. Check your code if necessary with login_encrypted.php in the download files. PHP Solutions 9-3 to 9-7 show you how to create a simple, yet effective user authentica tion system that doesn t require a database back end. However, it does have its limitations. Above all, it s essential that the text file containing the usernames and passwords be out side the server root. Even though the passwords are encrypted, knowing the usernames reduces the effort that an attacker needs to try to break through your security. Another weakness is that the salt is the username. Ideally, you should create a random salt for each password, but you need to store it somewhere. If it s in the same file as the usernames, they would both be exposed at the same time. Using a database for user authentication gets around many of these problems. It involves more coding, but is likely to be more secure. Also, once you get more than a few records, querying a database is usually much faster than looping through a text file line by line. Of course, the weakest link in most security systems lies in easily guessed passwords, or users revealing their login details (intentionally or otherwise) to unauthorized users. Chapter 15 covers user authentication with a database. Setting a time limit on sessions Setting a time limit on a PHP session is easy. When the session first starts, typically when the user logs in, store the current time in a session variable. Then compare it with the lat est time whenever the user does anything that triggers a page to load. If the difference is greater than a predetermined limit, destroy the session and its variables. Otherwise, update the variable to the latest time. PHP Solution 9-8: Ending a session after a period of inactivity This assumes that you have set up a login system as described in PHP Solutions 9-3 to 9-7. The completed scripts are in login_timeout.php, menu_timeout.php, and secretpage_timeout.php in the download files for this chapter. 1. You need to store the current time after the user s credentials have been authenticated, but before the script redirects the user to the restricted part of the site. Locate the redirect code in login.php (around line 31), and insert the new code highlighted in bold as follows: // if the session variable has been set, redirect if (isset($_SESSION[’authenticated’])) { // get the time the session started $_SESSION[’start’] = time(); header(’Location: http://localhost/phpsolutions/sessions/menu.php’); exit; } The time() function returns a current timestamp. By storing it in $_SESSION[’start’], it becomes available to every page that begins with session_start(). 253
If you are in need for cheap and reliable webhost to host your website, we recommend http web server services.

PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY 8. Save register.php and test it. Try it with a username or password with fewer than six characters and with passwords that don t match. Also try using the same password for two different usernames. I registered two users, both with the password codeslave. As Figure 9-3 shows, it s impossible to tell from the encrypted versions that both users have the same password. Figure 9-3. Using a salt produces completely different encryptions of the same password. Now that you have encrypted passwords, you need to change the login form to handle the new setup. PHP Solution 9-7: Using an encrypted login All that s necessary is to select the text file that contains the encrypted passwords and to encrypt the password before comparing it with the one stored in the file. 1. Open login.php from PHP Solution 9-3 or use login.php from the download files. Near the top of the script (around line 9), change the name of the text file, and add the following two lines shown in bold: $textfile = ‘C:/private/encrypted.txt’; $username = trim($_POST[’username’]); $pwd = sha1($username.trim($_POST[’pwd’])); if (file_exists($textfile) && is_readable($textfile)) { This removes any whitespace from the username and assigns it to a shorter variable. The next line also removes whitespace from the submitted password and adds the username to the front before passing it to sha1() for encryption. 2. Now use the shorter variables in the line of code that compares the username and password in the text file. Find the following line: if ($users[$i][’name’] == $_POST[’username’] && . $users[$i][’password’] == $_POST[’pwd’]) { Change it like this: if ($users[$i][’name’] == $username && $users[$i][’password’] == . $pwd) { If you used the shorter version in PHP Solution 9-3, change this line: if ($tmp[0] == $_POST[’username’] && rtrim($tmp[1]) == $_POST[’pwd’]) { Amend it as follows: if ($tmp[0] == $username && rtrim($tmp[1]) == $pwd) {
From our experience, we can recommend PHP5 Web Hosting services, if you need affordable webhost to host and run your web application.

PAGES THAT REMEMBER: SIMPLE LOGIN AND MULTIPAGE FORMS fwrite($file, “$username, $pwd”); } // if filesize is greater than zero, check username first else { // move internal pointer to beginning of file rewind($file); // loop through file one line at a time while (!feof($file)) { $line = fgets($file); // split line at comma, and check first element against username $tmp = explode(’, ‘, $line); if ($tmp[0] == $username) { $result = ‘Username taken - choose another’; break; } } // if $result not set, username is OK if (!isset($result)) { // insert line break followed by username, comma, and password fwrite($file, “rn$username, $pwd”); $result = “$username registered”; } // close the file fclose($file); } } The preceding explanation and inline comments should help you follow the script. The only line that you need to alter is this: $filename = ‘C:/private/encrypted.txt’; Change it to the pathname of the file where you want to store usernames and passwords. If you re on a Mac or plan to deploy this script on a Linux server, you also need to change the following line: fwrite($file, “rn$username, $pwd”); Remove the r at the beginning of the second argument. Mac and Linux don t need a carriage return to create a new line. 7. The final piece of coding displays the value of $result after the script has run. It goes just before the form like this:

Register user

$result

“; } ?>

PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY 4. Add the second test after the appropriate comment like this: // check that the passwords match elseif ($pwd != $_POST[’conf_pwd’]) { $result = ‘Your passwords don’t match’; } 5. You can now add the else clause that runs only if the first two tests fail, indicating that the input is OK. This is where the main action takes place. // continue if OK else { // main processing code goes here } Let s pause to consider what the main script needs to do. First, you need to encrypt the password by combining it with the username as a salt. Then, before writing the details to a text file, you must check whether the username is unique. This presents a problem of which mode to use with fopen(). The various fopen() modes are described in Chapter 7. Ideally, you want the internal pointer at the beginning of the file so that you can loop through existing records. The r+ mode does this, but the operation fails unless the file already exists. You can t use w+, because it deletes existing content. You can t use x+ either, because it fails if a file of the same name already exists. That leaves a+ as the only option with the flexibility you need: it creates the file if necessary, and lets you read and write. The file is empty the first time you run the script (you can tell because the filesize() function returns 0), so you can go ahead and write the details. If filesize() doesn t return 0, you need to reset the internal pointer and loop through the records to see if the username is already registered. If there s a match, you break out of the loop and prepare an error message. If there isn t a match by the end of the loop, you not only know it s a new username, you also know you re at the end of the file. So, you write a new line followed by the new record. Now that you understand the flow of the script, you can insert it into register.php. 6. Replace the placeholder comment in the else clause from the preceding step with the following code: // continue if OK else { // encrypt password, using username as salt $pwd = sha1($username.$pwd); // define filename and open in read-write append mode $filename = ‘C:/private/encrypted.txt’; $file = fopen($filename, ‘a+’); // if filesize is zero, no names yet registered // so just write the username and password to file if (filesize($filename) === 0) {
If you are searching for cheap webhost for your web application, please visit MySQL5 Web Hosting services.

PAGES THAT REMEMBER: SIMPLE LOGIN AND MULTIPAGE FORMS remove any backslashes from the $_POST array and check that the input meets your minimum requirements. You can t check whether the username is unique until you open the file that contains the registered usernames and passwords, but you know there s no point in going any further if the input is too short or the passwords don t match. So let s build the basic code skeleton. Insert the following code above the DOCTYPE declaration: All this does at the moment is remove backslashes from the $_POST array with the nukeMagicQuotes() function from Chapter 3. Let s check the user input. 3. When checking the length of user input, begin by stripping any whitespace from both ends with trim() and saving the result to a shorter variable. Saving to a shorter variable avoids the need to type out the full $_POST variable name every time. It also makes it easier to incorporate user input in a string because you don t need to worry about the quotes in the $_POST variable name. Then pass the new variable to strlen(), which returns the length of a string. If either the username or password is too short, you need an error message to display. Add this code immediately after the appropriate comment: // check length of username and password $username = trim($_POST[’username’]); $pwd = trim($_POST[’pwd’]); if (strlen($username) < 6 || strlen($pwd) < 6) { $result = 'Username and password must contain at least 6 characters'; } You could check that strlen() is greater than 5. However, you still need to make sure that both passwords match. Consequently, it s more efficient to turn the logic around and test for things that you don t want. In pseudo-code, the logic works like this: if (username or password has less than the minimum) { input is not OK } elseif (the passwords do not match) { input is not OK } else { input is OK to process } 249
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check mysql web server services.

PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY no way that you can send users password reminders if they forget them; you must generate a new password. Nevertheless, good security demands encryption. Another precaution that s worth taking is adding a salt to the password before encrypting it. This is a random value that s added to make decryption even harder. Even if two people choose the same password, adding a unique value to the password before encryption ensures that the encrypted values are different. Sounds difficult? Not really, as you ll see over the next few pages. You need to create a user registration form that checks the following: The password and username contain a minimum number of characters. The password matches a second entry in a confirmation field. The username isn t already in use. PHP Solution 9-6: Creating a file-based user registration form This PHP Solution assumes that you have set up a private folder that PHP has write access to, as described in Chapter 7. It also assumes that you are familiar with Appending content with fopen() in the same chapter. The finished code for this section is in register02.php in the download files. 1. Create a page called register.php in the sessions folder, and insert a form with three text input fields and a submit button. Lay out the form, and name the input elements as shown in the following screen. If you want to save time, use register01.php in the download files. 2. When building a script to process the input from a form, it s a good idea to map out the flow of the script as comments, and then fill in the details. As always, you want the processing script to run only if the form has been submitted, so everything needs to be enclosed in a conditional statement that checks whether the name attribute of the submit button is in the $_POST array. Then you need to
From our experience, we can recommend PHP5 Web Hosting services, if you need affordable webhost to host and run your web application.

PAGES THAT REMEMBER: SIMPLE LOGIN AND MULTIPAGE FORMS header(’Location: http://localhost/phpsolutions/sessions/login.php’); exit; } ?>

5. At the same point in menu.php from which you cut the code for the form, include the new file like this: Including the code from an external file like this means that there will be output to the browser before the calls to setcookie() and header(). So you need to buffer the output, as shown in PHP Solution 9-2. 6. Add ob_start(); immediately after the call to session_start() at the top of menu.php. There s no need to add ob_end_flush() to logout.inc.php. You don t want to flush the buffer when logging out a user. You could add it to menu.php after the include command, but it s not necessary, as PHP automatically flushes the buffer at the end of the script if you haven t already done so explicitly. 7. Save menu.php and test the page. It should look and work exactly the same as before. 8. Repeat steps 5 and 6 with secretpage.php. You now have a simple, reusable logout button that can be incorporated in any restricted page. Although this file-based user authentication setup is adequate for restricting access to web pages, all the passwords are stored in plain text. For greater security, it s advisable to encrypt passwords. Encrypting passwords PHP provides a simple and effective way to encrypt passwords, using the SHA-1 (US Secure Hash Algorithm 1; for more info, see www.faqs.org/rfcs/rfc3174), which produces a 40-digit hexadecimal number. When encrypted with SHA-1, codeslave turns into this: fe228bd899980a7e23fd08082afddb74a467e467 SHA-1 is considered secure because it s said to be computationally infeasible to work out the original text or to find two sets of text that produce the same number. This means that even if your password file is exposed, no one will be able to work out what the passwords are. It also means that you have no way of converting fe228bd899980a7e23fd08082afddb74a467e467 back to codeslave. In one respect, this is unimportant: when a user logs in, you encrypt the password again and compare the two encrypted versions. The disadvantage is that there is 247
Visit our web design programs services for an affordable and reliable webhost to suit all your needs.

PHP SOLUTIONS: DYNAMIC WEB DESIGN MADE EASY 2. You now need to add the script that runs when the logout button is clicked. Amend the code above the DOCTYPE declaration like this (the code is in menu02.php): This is the same code as in Destroying a session earlier in the chapter. The only differences are that it s enclosed in a conditional statement so that it runs only when the logout button is clicked, and it uses header() to redirect the user to login.php. 3. Save menu.php and test it by clicking Log out. You should be redirected to login.php. Any attempt to return to menu.php or secretpage.php will bring you back to login.php. 4. You can put the same code in every restricted page; but PHP is all about saving work, not making it. It makes sense to turn this into an include file. Create a new file called logout.inc.php in the includes folder. Cut and paste the new code from steps 1 and 2 into the new file like this (it s in logout.inc.php in the download files): Go visit our java server pages services for a reliable, lowcost webhost to satisfy all your needs.

PAGES THAT REMEMBER: SIMPLE LOGIN AND MULTIPAGE FORMS // if session variable not set, redirect to login page if (!isset($_SESSION[’authenticated’])) { header(’Location: http://localhost/phpsolutions/sessions/login.php’); exit; } ?> After starting the session, the script checks whether $_SESSION[’authenticated’] has been set. If it hasn t, it redirects the user to login.php and exits. That s all there is to it! The script doesn t need to know the value of $_SESSION[’authenticated’], although you could make doubly sure by amending line 4 like this: if (!isset($_SESSION[’authenticated’]) || $_SESSION[’authenticated’] . != ‘Jethro Tull’) { This now also rejects a visitor if $_SESSION[’authenticated’] has the wrong value. 3. Save menu.php and secretpage.php, and try to load either of them into a browser. You should always be redirected to login.php. 4. Enter a valid username and password in login.php, and click Log in. You should be redirected immediately to menu.php, and the link to secretpage.php should also work. All you need to do to protect any page on your site is add the eight lines of code in step 2 above the DOCTYPE declaration. As well as logging into a site, users should be able to log out. PHP Solution 9-5: Creating a reusable logout button Continue working with the files from the preceding section. The finished files are in menu03.php, logout.inc.php, and secretpage02.php in the download files for this chapter. 1. Create a logout button in the of menu.php by inserting the following form:

The page should look similar to the following screenshot: 245
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check mysql web server services.