PHP Login script with MySQL

Hello,
  I am farely new to PHP and I have stumbled on these set of scripts that work in conjunction to allow a person to login to my website. It works like this: Once you have tried to access the page that is password locked, it redirects you to the incSession.php page which determines if there is a cookie on your computer saying that you are logged in or not, but this page is not seen. If you are not logged in, it directs you to the Login.php page in which you can login. Once you have typed in the User and Password, it directs you to another page that can't be viewed, LoginAction.php. This page determines if you have entered the correct info by connecting to my MySQL page and seeing if that information is there or not. If it is, you will be directed to the page you want to view, if not, you go right back to the Login.php page. What I am trying to do is that I would like to add a timeout to the cookie or the session that the user is on and I would like to have a command here to determine if you have cookies enabled or not, and if not it would show an alert.

Here are the PHP pages in order:

members.php:(ex.)

<?PHP require('incSession.php'); ?>
<html>
..................
</html>

incSession.php:

<?php
// Check for a cookie, if none got to login page
if(!isset($HTTP_COOKIE_VARS['session_id'])) {
header('Location: Login.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SERVER_VARS['QUERY_STRING']));
}

// Try to find a match in the database
$sGUID = $HTTP_COOKIE_VARS['session_id'];
$hDB = mysql_connect('host', 'user', 'pass');
mysql_select_db('database', $hDB);

$sQuery = " 
Select iUser
From tblUsers
Where sGUID = '$sGUID'";

$hResult = mysql_query($sQuery, $hDB);

if(!mysql_num_rows($hResult)) {
// No match for guid
header('Location: Login.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SERVER_VARS['QUERY_STRING']));
}
?>

Login.php:

<html>
<body>
<p align="center"><form action="LoginAction.php" method="Post">
  <div align="center"><font color="#FF6600"><strong>User:<br />
        <input type="Text" name="psUser" />
        <br />
    Password:</strong></font><br />
    <input type="password" name="psPassword" />
    <br />
    <input type="submit" value="Login" />
   
  <input type="hidden" name="psRefer" value="<? echo($refer) ?>" >
  </div>
</form> </p>
</body>
</html>

LoginAction.php:

<?php
// Check if the information has been filled in
if($psUser == '' || $psPassword == '') {

// No login information
header('Location: Login.php?refer='.urlencode($psRefer));

} else {

// Authenticate user
$hDB = mysql_connect('host', 'user', 'pass');
mysql_select_db('database', $hDB);

$sQuery = " 
Select iUser, MD5(UNIX_TIMESTAMP() + iUser + RAND(UNIX_TIMESTAMP())) sGUID
From tblUsers
Where sUser = '$psUser'
And sPassword = password('$psPassword')";

$hResult = mysql_query($sQuery, $hDB);

if(mysql_num_rows($hResult)) {

$aResult = mysql_fetch_row($hResult);

// Update the user record
$sQuery = " 
Update tblUsers
Set sGUID = '$aResult[1]'
Where iUser = $aResult[0]";

mysql_query($sQuery, $hDB);

// Set the cookie and redirect
setcookie("session_id", $aResult[1]);

if(!$psRefer) $psRefer = 'index.php';
header('Location: '.$psRefer);

} else {

// Not authenticated
header('Location: Login.php?refer='.urlencode($psRefer));

}
}
?>
techadvanced06Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

techadvanced06Author Commented:
It might be hard to see in all of the code, but their are 4 PHP codes included in thier. member.php, incSession.php, Login.php, and LoginAction.php
0
frugleCommented:
The only way to determine if cookies are turned on is to set one then try to read it.

setcookie() defines a cookie to be sent along with the rest of the HTTP headers. Like other headers, cookies must be sent before any output from your script (this is a protocol restriction). This requires that you place calls to this function prior to any output, including <html> and <head> tags as well as any whitespace. If output exists prior to calling this function, setcookie() will fail and return FALSE. If setcookie() successfully runs, it will return TRUE. This does not indicate whether the user accepted the cookie.

setcookie.php

<?php
 #Attempt to set a cookie with 1 hour expiry
setcookie( 'test' , 'yes' , time()+3600);

#redirect to next page
header("Location: checkcookie.php");
?>

checkcookie.php

<?php
#Is cookie set?
if (isset($_COOKIE['test'])){

    # redirect to login page
    header("Location: yes_we_have_cookies.php");

} else {

    # redirect to warning page
    header("Location: error_no_cookies.php");

}

?>

see also http://www.php.net/manual/en/features.cookies.php

Setting cookies to expire is done when setting them.  You can forcibly expire a cookie by setting it to a time in the past.

expirecookie.php

<?php

# Set cookie expiry to 1 hour ago.
setcookie( 'test' , 'expired' , time()-3600);

?>

Expiring sessions can be done by altering session.gc_maxlifetime in php.ini or by using ini_set()

http://www.php.net/manual/en/function.ini-set.php

or you can use session_destroy () to log someone out.

see also http://www.php.net/manual/en/ref.session.php

hope this helps,

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
techadvanced06Author Commented:
Ok, where would I have to plug these commands into in my PHP code? Would that cookie code have to be before it sees if I am logged in or at the same time or what?
0
frugleCommented:
session expiry code should probably be put into the top of incSession.php

The cookie code can be run standalone as a "check for cookies" button. If your login works, you can assume cookies are on.

Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.