Not sure if there is such a thing as an HTML based login script or if php is better or not but anyway here it goes. I have just recently decided to make to of the forms on my clients site protected and require a login to prevent any juvinal activities and any issues that could come about if they wernt protected.I have done alot of looking around and I will keep looking but just wanted to see if you all had anything simple,efective, and easy to understand. Here is what im looking for even though some of this info may not matter.
1) customer creates his/her own username and password
2) probably be a better idea (unless its the only option) for it to be DB driven though I know nest to nothing about DB
3) I plan to create a form for the customer that will only ask for the username, password, Full name, email, and company he/she represents.
4) I also figure something like this could be a good way to keep track of the customer base to.

Any ideas on scripts or language as far as php or HTML go if there is an option even, (i have only looked at PHP so far). also any tutorials on how to do this and have it not be some huge elaberate job just to do login but not so simple that a 6 year old could by pass it blindfolded?

Thank you all alot for the help;)

HTML is only a markup language. You need to use a server-side language to do this.

Take a look at these articles. (http://www.google.com/search?q=php+login+script+%7Etutorial)

Crazy8,

Login scripts and registration scripts are extremely easy to install and maintain, as long as you know the language.

I have since made over 30 login and registration forms, each unique in their own way. I have even made one for a user on this site in the Acquiring Skill subsection.

You (in heinsight) should have posted in there, as this is not a piece of code you can simply cut and paste into a page and save, it is a combination of scripts relying on the information your database holds and fields in each page.

I can do this for you in PHP, with a professional look, but it will cost a small amount of money.

Your alternative is a javascript script. It is merely a piece of code that holds all the usernames and passwords in a .txt or .js file. The javscript opens the file, checks if the username and password are in there, and passes the user on.

The problem with this, is users cant instantly sign up, they have to be entered into the .txt or .js file by hand. The script also dosent check if the user is logged on, as JS cant pass information between more than 2 pages without forms.

If you choose PHP, cookies and sessions enable themselves, and the page will know if the user is logged on. Users can also signup instantly, and Ill even chuck in an admin section where you can view all available users, delete, modify, etc. If you choose JS, anybody can view the page without logging in, and the username and password file needs to be uploaded onto the webserver, enabling anybody and everybody to view the file and gain access (like your example of the 6 year old kid blindfolded) by checking out the script's source.

If you decide the more professional and secure option, I would be more than glad to help you. I am not selling anything to you, just providing information and a solution.

Hope this helps,
Beefa

Um assuming your not doing credit card handling etc then they are really easy!

Just read up on php sessions. The JS solution that holds usernames and passwords in a .txt or .js file is not a good idea as both of these files will if found come off the server as plain text. (and their location can be seen in the source code!)

To be decently secure you do as follows:

1)Have either a database or .php file containing the usernames and a sha1() with salt hash of the password.
2)then have some login page with a username text field and a password field.
3)this form submits to a php page where the inputs are made safe (add_slashes etc)
4)Then search through the database for a username that is the same as the input (or if in file, explode the file contents to an array and search it), If none found print out "Sorry that username was not found"
5)if found, work out the sha1() hash of the inputted password and compare with the stored value. If not matching throw an error message "Incorrect password". If it is matching you then set a session variable (see www.php.net for details).

There are a variety of steps you can take to avoid session hijacking, like store the IP of the user when they login in another session var and compare the IP of the user with this every time they load a page etc. you can also set cookies with some random number in etc and check that it continues to exist but this can be overkill if your not into your PHP.

Basically its not that difficult so have a peruse for tutorials.
If you have a DB its super quick otherwise its just a matter of files/includes.

If you give a few more details of your situation i can be more specific!

is using htaccess any easier?

a simple php log in script isnt very hard at all, Some people use cookies, some use sessions, check the log in from the fields in the database and surround the stuff on the page with an if statment that you either want them to see or not.

as far as cookies and sessions go is one realy better then the other?

One more thing about DB.Im also working on something else and have tables already made in my DB.One of the fields is my DB is password varchar(255) and i need to make a new one called password varchar(30). Now does that number realy matter much?Could I just use the same filed for both thngs im working on? What does that number stand for anyway?If the numbers were the same could i also just as well use the same field then even if it was serving for 2 different things?

Thanks alot everyone for all the great advice:)

sessions are better, as cookies can be mimicked by people while sessions are handled by the server and so are far more difficult to hijack (although still quite possible)

Anyone have an answer for the question above?:D

Thank you all again so much

Let me clearify SESSION over COOKIES... if the client's cookie feature is enabled, the session will use cookies to store data. If it is disabled, the session will save the details within the server. However this saved information can ONLY be passed to the next page if TANS-SID is enabled (which it is by default after 4.1.2 I believe). Just watch out for that, otherwise you have to manually send it. If it is enabled, then sessions are really clean to use.

It really isn't difficult like people are saying (I set one up myself, yay). Here is a script that I personally used for mine.
<?php
session_start();

#### If SESSION 'access' is NOT set check the form variables. If it IS set, then continue on with the page. This is for linking back to the page once the SESSION is established with a SESSION access value. It does not have to equal 'yes' ####

if (!isset($_SESSION['access']))
{
#### Valid Login Identification ####
$valid_usr = "test";
$valid_pwd = "test";

#### Grab POST variables for easier use ####
$username = $_POST['username'];
$password = $_POST['password'];

#### If login variables are NOT valid, redirect to homepage to display an error ####
if ($valid_usr !== $username and $valid_pwd !== $password)
{
session_destroy();
header("Location: http://eric.brisco.ca/main.php?error=badlogin");
exit();
}

else
{
#### Create SESSION value to enable ALL admin pages ####
$_SESSION['access'] = yes;
}
}
?>
There is notation that I have added right in the file for future reference (always an excellent idea), so you can get a grasp of how it is working. A form with two fields (username and password) are passed to it. I also needed a way to link BACK to the page without reprocessing the form, which amounts to the first if conditional.

Then the remaining pages just use code like this:
<?php
session_start();

#### If login variables are NOT valid, redirect to homepage to display an error ####
if ($_SESSION['access'] !== yes)
{
session_destroy();
header("Location: http://eric.brisco.ca/main.php?error=badlogin");
exit();
}
?>
So I have a control page which processes the form, navigates me around the admin section, and enables me to visit the other admin pages. Of course there are so many ways to code a login (whether to one or several pages), and this is because every need and situation is different.

Sorry if there was any confusion. The question I was pertaining to that I still was looking for an answer for was my DB tables question.:)

BTW erisco. Thank you much for the help and an idea of whats going on. I think I will forsure do sessions and Im thinking i may make it DB driven to:D

I suppose the biggest question before anyone can go further for you is what info do you want to store on registration ??? and are there any sessions that you need to check for them to access pages?

Well the only things Ill be asking for when they register is Company, Full Name, E-mail, Username, and Paswword.As far as pages go this is going to be for my "Re-order" form and "Online Quote" form. Go here if you like/need to check it out.http://65.98.16.170/~millerm/Index.html
Some of the info im asking is for my client to have something to see for a customer base.Now they know their customers and who they are but this is kind of a way to see whos also taking advantage of the features on the new site:) Also with the info im asking at registration, since on my forms I ask for company, name, and email is there anyway that once a user is logged in that those 3 things would be automaticly entered into the fields on the form, but still editable ofcourse just in case? Just yet another crazy idea the more and more i get into this...lol

corey84~ hope I somehow answered your questions.

okay try this one out... it uses md5 encryption for the register and login parts

i will upload the sql as well

to restrict access you will need to do this


<?
session_start();
if($_SESSION['auth'] == 'true'){
//all protected stuff here
}
else{
//give them an error message
}


if you need any more help with this thwn let me know

md5 should be avoided where possible, sha1 with salt is far better

If I decided to try cookies in my script is it pretty easy to change it over to sessions later if I decided to do so? Perhaps by just changin $_COOKIES to $_SESSION and some minor editing or would it be a lil more complex to switch over?

BTW this is alot fo great info thanks alot to all of you for the help and information.I thought my mail script would be my "jewel". Looks like this login in script will be:D

md5 should be avoided where possible, sha1 with salt is far better

could you post some info on that for me, I thought md5 was better

I could be wrong but with some of the reading i have been able to do I think I heard the same thing.But there was also debate about the "salt" saying that people who use it will make it mandatory for the password to consist of atleast 1 alph-numeric charactor.I dont know alot about this stuff just relaying what i read (if i remeber right)

Corey84~ I saw the poll you posted up, good idea btw:D Now as you know along with everyone else this stuff (md5 and sha1) is still foreign to me.PHP im starting to get a little grasp on, but now is there a way to use both? would it bring better security, or is it just better to use one (which everone may be best)?

I did find something googling maybe you guys could take a look at tell me what you think or if its to much for me to get into.well there are more i came across but this is the one i was refering to, maybe you guys might beable to find soemthing good if this one isnt.
http://www.evolt.org/article/PHP_Login_System_with_Admin_Features/17/60384/index.html
Let me know what you guys think:D thanks alot guys for all the help you guys have been doing great on this:D

could anyone answer to the above post...any more on this topic? does anyone know of any great tutorials or anything...on how to do this and understand it..Thanks alot for all the good info everyone

that one looks pretty good, i think i used the earlier version of that script when i first started out. Looking alot better now though. It looks secure and has all the functions you could want

SHA1 is a stronger encryption than MD5. These two encryptions are one way encryptions, so they are mostly used to encrypt a password before storing in a database, so that someone looking at the database can't determine what the passwords are that are stored there. Those two types are also 1-to-1 encryptions -- meaning that when you encrypt a given string, the result of the encryption will always be the same. When checking to see if a password is correct you encrypt the password with the same algorithm and then check to see if it matches the encrypted copy that is stored in the database.

I suppose you could use both, but I don't see why you would want to.

Is anyone aware of any tutorials or anything that supplies code or examples of how to do all this that would be easy to fallow even for everyone. I would much like to take this on but at the same time im still new to this and a TOTAL virgin when it comes to security stuff and encryption.So anything that will show me what to do, how to do it, and even explaine what everything is would be great.

Thank so much for the help everyone.

Crazy8,

If you have had no previous PHP experience, you are not ready for a tutorial. Tutorials are all over the net, but they include only the basics, and if you want to add fields or modify them etc, you are going to need the help of someone on the forums.

If you arent prepared to pay for a script, learn from w3schools and then once u have had a reasonable basis in PHP follow a tutorial.

Beefa