Thread: Login System

  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2014
    Rep Power

    Login System

    Hi guys,
    I'm creating a login system and there is one small bug that I am trying to iron out, so any input is appreciated
    Once I log out as a user, I get redirected to my login page like:
    Now that I am logged out, if I try to "bypass" the login page and go straight to the index.php page (without logging in this time), I can still access the "secure" page (..not that secure, and I get the following message:

    Notice: Undefined index: status in /Applications/MAMP/htdocs/login-form/classes/membership.php on line 32

    Warning: Cannot modify header information - headers already sent by (output started at /Applications/MAMP/htdocs/login-form/classes/membership.php:32) in /Applications/MAMP/htdocs/login-form/classes/membership.php on line 33
    You are Logged In User!!!!
    Log Out


    This is the code in membership.php (please see towards the end I have marked the link 32 where I get the notice & warning message)

    PHP Code:
    require 'mysql.php';


    $mysql = New Mysql();
    $ensure_credentials $mysql->verify_Username_and_Pass($unmd5($pwd));
    // if credentials returns true, log in to index page
    if($ensure_credentials) {
    $_SESSION['status'] ='authorized';
    header("location: index.php");
                } else return 
    "Please enter a correct username and password";

    log_User_Out() {
    setcookie(session_name('Mylogin'), ''time() - 1000);
    confirm_Member(){   // This is Line 32 where I am Getting the Notice Error
    $_SESSION['status'] !='authorized') { 
    header("location: login.php");            //////////////// I think that this is the issue, and there are some more modified headers at the top of membership class

    The code in my login.php page is:

    require_once 'classes/membership.php';
    $membership = new Membership();
    //if clicked on log out link on index page
    if(isset($_GET['status']) && $_GET['status'] == 'loggedout'){
    //validate user
    if($_POST && !empty($_POST['username']) && !empty($_POST['pwd'])){
        $response = $membership->validate_user($_POST['username'], $_POST['pwd']);
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">
    <html xmlns="">
        <meta http-equiv="Content-Type" content="text/html; charset=uft-8" />
           <script src=""></script> 
    <script type="text/javascript">
                $('<span class="exit"> X</span>').appendTo('h4.alert');
        <div id="login">
            <form method="post" action="">
                <h2>Login <small>enter your credentials</small></h2>
                    <label for="name">Username: </label>
                    <input type="text" name="username" />
                    <label for="pwd">Password: </label>
                    <input type="password" name="pwd" />
                <p><input type="submit" id="submit" value="login" name="submit" /></p>
            <?php if (isset($response)) echo "<h4 class='alert'>".$response."</h4> "; ?>
    Any advise please?

  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Rep Power

    the big mistake you make is that you don't have a die after the redirect. That means the code will keep running. And if the redirect fails because of prior output (in your case an error message), the user will even see the page content.

    Never, ever redirect without stopping the script afterwards.

    In fact, your whole control flow is far too fragile. You rely on some magical function to stop unauthorized users. But if that fails (like in your case), all the sensitive code will still be executed.

    You need a more robust approach:

    php Code:
    if ($authorized)

    The next major issue is that you're using MD5 hashes. Seriously, haven't you heard the news? MD5 (or SHA or whatever) offers no protection at all. Anybody can break those hashes in a matter of minutes -- they can even search them on Google.

    You need a real password hashing algorithm like bcrypt.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Super Moderator
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Jun 2009
    Hartford, WI
    Rep Power
    I place the following code near the top of my site's top-level index.php file. This way the check is ran no matter where they are on the site, unless they access an inner file directly, which then doesn't work for them anyway since required includes are not then included, as well as SESSION items, since they would not be set.
    if(!isset($_SESSION['user']) && $_GET['loc'] != 'login') {
      header('Location: ?loc=login');
    He who knows not that he knows not is a fool, ignore him. He who knows that he knows not is ignorant, teach him. He who knows not that he knows is asleep, awaken him. He who knows that he knows is a leader, follow him.

IMN logo majestic logo threadwatch logo seochat tools logo