runQuery("SELECT user_id, pword FROM user_list WHERE login_name='$login_name'");
if(mysql_num_rows($db_info)==1) {
list($user_id, $db_password) = $db->fetch_results($db_info);
if($db_password == $form_password) {
// if the passwords match, then this user is authenticated. there are a few things that we'll need to do
// to be sure that their session doesn't get corrupted. firstly, however, we'll get some more information
// about them for use within the system.
$contact_info = $db->runQuery("SELECT first_name, last_name, email FROM user_list WHERE user_id=$user_id");
list($first_name, $last_name, $email) = $db->fetch_results($contact_info);
$_SESSION['user_id'] = $user_id;
$_SESSION['full_name'] = $first_name . " " . $last_name;
$_SESSION['email'] = $email;
// the easiest way to hijack someone's account with this sort of setup is to get ahold of valid PHP session
// id and then pretend to be the person who's authenticated account was used to generate that session. But,
// we can make things a little more secure by recording other pertinent information about the person who
// started this session in the database for retreival on every other secure page. This information includes
// the user agent (browser) of the visitor and their IP address. We'll also generate a random fingerprint
// using the uniqid() function which will be very had to replicate. This will be stored in the database
// only and not in the session so simply getting the session information won't give you this fingerprint.
// thus, to hijack an account a person would need to (a) get access to a PHP session id, (b) figure out the
// browser that the authentic user was using, and (c) spoof that person's IP address, too.
$fingerprint = uniqid(time(), true);
$_SESSION['fingerprint'] = sha1($fingerprint . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);
$db->runQuery("REPLACE INTO user_fingerprints (user_id, fingerprint) VALUES ($user_id, '$fingerprint')");
$db->runQuery("UPDATE user_list SET last_login=NOW() WHERE user_id=$user_id");
header("Location: index.php"); // with an authentic user, we can re-direct into the database tools
exit; // but we'll want to halt execution of this page
} else $login_error = "bad_password";
} else $login_error = "not_found";
?>
Login Failed
The password you entered did not match the one stored in the database for your account. Please attempt to log into
this system again using the form below.
The system was unable to find an account with a login name of "." Please attempt to log into this
system again using the form below.
If you have forgotten your login name or password, then you can set up new ones by
re-activating your account.