require_once("../includes/init.php"); $db = initdb(); session_start(); list($form_password, $login_name) = array_values($_POST); $db_info = $db->runQuery("SELECT user_id, pword FROM user_list WHERE login_name='$login_name'"); if(mysql_num_rows($db_info)==1) { list($user_id, $db_password) = $db->fetch_results($db_info); if($db_password == $form_password) { // if the passwords match, then this user is authenticated. there are a few things that we'll need to do // to be sure that their session doesn't get corrupted. firstly, however, we'll get some more information // about them for use within the system. $contact_info = $db->runQuery("SELECT first_name, last_name, email FROM user_list WHERE user_id=$user_id"); list($first_name, $last_name, $email) = $db->fetch_results($contact_info); $_SESSION['user_id'] = $user_id; $_SESSION['full_name'] = $first_name . " " . $last_name; $_SESSION['email'] = $email; // the easiest way to hijack someone's account with this sort of setup is to get ahold of valid PHP session // id and then pretend to be the person who's authenticated account was used to generate that session. But, // we can make things a little more secure by recording other pertinent information about the person who // started this session in the database for retreival on every other secure page. This information includes // the user agent (browser) of the visitor and their IP address. We'll also generate a random fingerprint // using the uniqid() function which will be very had to replicate. This will be stored in the database // only and not in the session so simply getting the session information won't give you this fingerprint. // thus, to hijack an account a person would need to (a) get access to a PHP session id, (b) figure out the // browser that the authentic user was using, and (c) spoof that person's IP address, too. $fingerprint = uniqid(time(), true); $_SESSION['fingerprint'] = sha1($fingerprint . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']); $db->runQuery("REPLACE INTO user_fingerprints (user_id, fingerprint) VALUES ($user_id, '$fingerprint')"); $db->runQuery("UPDATE user_list SET last_login=NOW() WHERE user_id=$user_id"); header("Location: index.php"); // with an authentic user, we can re-direct into the database tools exit; // but we'll want to halt execution of this page } else $login_error = "bad_password"; } else $login_error = "not_found"; ?> require_once("$FILE_ROOT/includes/layout/header.php"); ?>
The password you entered did not match the one stored in the database for your account. Please attempt to log into this system again using the form below. } elseif($login_error == "not_found") { ?>
The system was unable to find an account with a login name of "=$login_name?>." Please attempt to log into this system again using the form below. } ?> If you have forgotten your login name or password, then you can set up new ones by re-activating your account.
require_once("$FILE_ROOT/includes/layout/footer.php"); ?>