Login and Logout Authentication for a Project Management Application

In this article we continue to look at the login and logout scripts of the project management application. We ended the previous article by looking at the PHP code of the login script. In this article we will be looking at the HTML login form and the logout script.

To quickly recap: the login script is responsible for authenticating a user’s log-in credentials. It takes the user’s username and password, and compares them to the information in the database. Here’s the code that makes that comparison; I’ve already explained in detail what the code means in the previous article and will not do it here. 

<?php

include "dbcon.php";

include "functions.php";

//initialise variables

$err=false;

$errmsg=””;

//is form submitted?

if(isset($_POST['submit'])){

//check that the form values are not empty, if so, set errormsg value

if(empty($_POST['uname'])){

$errmsg="The username field is empty, please enter a username<br>";

$err=true;

}

if(empty($_POST['upass'])){

$err=true;

$errmsg .="The password field is empty, please enter password<br>";

}

//check that the username is in correct format

if(!checkformat($_POST['uname'])){

$err=true;

$errmsg .="The username that you entered has a incorrect format.<br>";

}

//if there is no errors above, then clean the form values before using in query.

if(!$err){

$cleanuname = mysql_escape_string($_POST['uname']);

$cleanupass = mysql_escape_string($_POST['upass']);

$checkuser = "SELECT * from users WHERE uname = ‘".$cleanuname."’ AND upass = ‘".$cleanupass."’";

$checkuser_res = mysql_query($checkuser);

$checkuser_num = mysql_num_rows($checkuser_res);

if($checkuser_num > 0){

//if user exists and passes authentication

//setup session variables and redirect to index page

$row = mysql_fetch_assoc($checkuser_res);

$_SESSION['name'] = $row['name']." ".$row['sname'];

$_SESSION['uid'] = $row['uid'];

$_SESSION['level'] = $row['level'];

//redirect

header("location:main.php");

}else{

//if values do not match set errmsg

$err=true;

$errmsg .="The username or password you entered does not match.<br> MYSQL ERROR ".mysql_error();

}//else

}//end $err check

} //end form submit check

The user’s login information is stored in a MySQL database table called “users” and contains all the information that the project management application will need to manage the user. Below is the SQL for the table; as with the earlier code, I’ve already explained what each field is for. Check the previous article for more information.

CREATE TABLE `users` (

`uid` int(11) NOT NULL auto_increment,

`name` varchar(20) NOT NULL default ”,

`sname` varchar(20) NOT NULL default ”,

`uname` varchar(100) NOT NULL default ”,

`upass` varchar(8) NOT NULL default ”,

`level` enum(‘admin’,’normal’) NOT NULL default ‘normal’,

`last_login` datetime NOT NULL default ‘0000-00-00 00:00:00′,

`email` varchar(100) NOT NULL default ”,

PRIMARY KEY (`uid`)

) TYPE=MyISAM AUTO_INCREMENT=5 ;

That is basically all there is to the login part of user authentication.

{mospagebreak title=The HTML Form}

The HTML form attached to the code above simply displays the username and password fields as stated in the previous article. We will look at it here.


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!– InstanceBegin template="/Templates/userauth.dwt.php" codeOutsideHTMLIsLocked="false" –>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– InstanceBeginEditable name="doctitle" –>

<title>Project Management ::Login</title>

<!– InstanceEndEditable –>

<!– InstanceBeginEditable name="head" –><!– InstanceEndEditable –>

<link href="Templates/loginstyle.css" rel="stylesheet" type="text/css" />

</head>


<body>

<table width="100%" border="0">

<tr>

<td bgcolor="#6699CC" class="headertxt">Project Management:: User Authentication </td>

</tr>

<tr>

<td><!– InstanceBeginEditable name="main" –>

<table width="100%" border="0" class="formborder">

<tr>

<td colspan="2" class="loginheader">Login</td>

</tr>

<tr>

<td colspan="2">&nbsp;</td>

</tr>


The form starts here with the <form> element. Immediately below you can clearly see where the error message display area is set.

<form action="login.php" method="post" name="f1" class="formborder">

<?php if(isset($errmsg)){?>

<tr>

<td colspan="2" class="errmsg" ><?php echo $errmsg; ?></td>

</tr>

<tr>

<td colspan="2">&nbsp;</td>

</tr>

<tr>

<?php

}

?>

The error message is only displayed if the $errmsg variable is set. In other words if the $errmsg variable is not empty, it will be displayed. The next part of the form displays the “username” field.

<td width="10%" valign="bottom"><strong>Username:</strong></td>

<td width="90%"><label>

<input name="uname" type="text" class="login" id="uname" size="40" />

</label></td>

</tr>

<tr>

And finally, here is the password field.

<td valign="bottom"><strong>Password:</strong></td>

<td><label>

<input name="upass" type="password" class="login" id="upass" size="40" />

</label></td>

</tr>

<tr>

<td>&nbsp;</td>

A link to the password.php file is provided for those who have forgotten their password. The password.php script is responsible for retrieving and sending the password to the user.

<td><a href="password.php">Forgot your password?</a> </td>

</tr>

<tr>

<td>&nbsp;</td>

<td><label>

<input name="submit" type="submit" id="submit" value="Log me in!" />

</label></td>

</tr>

</form>

</table>

<!– InstanceEndEditable –></td>

</tr>

<tr>

<td align="right" class="cright">copyright &copy; 2007 PM </td>

</tr>

</table>

</body>

<!– InstanceEnd –></html>


Throughout the PHP section of the log-in code (and indeed, throughout the entire application), you will note that I’ve called the mysql_error() function to see if any errors occurred in the mysql query code:

}else{

//if values do not match set errmsg

$err=true;

$errmsg .="The username or password you entered does not match.<br> MYSQL ERROR ". mysql_error();

}//else

I’ve only done this for debugging purposes because the code was in development. If you are going to use this application in the real world, you should find another way to show or handle the error. For example, you could write an error logging class or something that will not display the error, but rather write the error to a text file. This is because PHP errors reveal a lot more information than they need to when there is an error, and can cause a security vulnerability when doing so.

That’s it for the login script. Next we’ll look at the logout form.

{mospagebreak title=The Logout Form}

The code below does the actual logging out by simply destroying any sessions or session variables that have been set up. First it calls the ob_start() function before including the usual database connection file(dbcon.php) and functions.php.

<?

ob_start();

include "dbcon.php";

//update the users table

The ob_start() function allows you to write and execute your scripts as normal but send data to the web browser only at select points. The chief benefit of this is that it enables you to call the session_start() function without having to worry about the dreaded headers already sent error message. We make doubly sure that the session is actually active by checking to see if the name session variable is set.

if(isset($_SESSION['name'])){

If so, we first update the users table’s last_login field with today’s date, stored in the $td variable. The $td variable is contained in the dbcon.php file that is included at the top. Here are its contents.

<?

session_start();

$title = "Project Management";

//database connection

$db = mysql_connect("localhost") or die("Failed to open connection to MySQL server.");

mysql_select_db("project_management") or die("Unable to select database");

//set useful variables

$month_names = array("","January","February","March","April","May","June","July","August",
"September","October","November",
"December");

//set useful variables

$td = date("Y-m-d");

$date_time =date("Y-m-d h:i:s");

?>

The $td variable contains today’s date in the format year-month-date, which is the format used by MySQL. The update query is run like so:

$uname =$_SESSION['name'];

$save = "UPDATE users SET last_login =’".$td."’";

mysql_query($save);

Then the sessions are destroyed like so:

//destroy session

session_start();

session_unset();

session_destroy();

}else{

If the name session variable is not set, then we redirect the user to the login page.

//user is not suppose to be on this page

//redirect to login page

header("location:login.php");

}

?>

The HTML part of the logout script simply displays the "you are now logged out" message and offers the user a login link.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!– InstanceBegin template="/Templates/userauth.dwt.php" codeOutsideHTMLIsLocked="false" –>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– InstanceBeginEditable name="doctitle" –>

<title>Project Management::Logout</title>

<!– InstanceEndEditable –>

<!– InstanceBeginEditable name="head" –><!– InstanceEndEditable –>

<link href="Templates/loginstyle.css" rel="stylesheet" type="text/css" />

</head>


<body>

<table width="100%" border="0">

<tr>

<td bgcolor="#6699CC" class="headertxt">Project Management:: User Authentication </td>

</tr>

<tr>

<td><!– InstanceBeginEditable name="main" –>

<table width="100%" border="0">

<tr>

<td width="33%">&nbsp;</td>

<td width="30%">&nbsp;</td>

<td width="37%">&nbsp;</td>

</tr>

<tr>

<td colspan="3"><div align="center" class="loginheader"><strong><?php echo $uname.",";?></strong> you are now logged out. </div></td>

</tr>

<tr>

<td colspan="3"><div align="center" class="loginheader">Click <a href="login.php">here</a> to login </div></td>

</tr>

</table>

<!– InstanceEndEditable –></td>

</tr>

<tr>

<td align="right" class="cright">copyright &copy; 2007 PM </td>

</tr>

</table>

</body>

<!– InstanceEnd –></html>


{mospagebreak title=The Script}

This is how your entire logout script should look:

<?

ob_start();

include "dbcon.php";

//update the users table

if(isset($_SESSION['name'])){

$uname =$_SESSION['name'];

$save = "UPDATE users SET lastlogin =’".$td."’";

mysql_query($save);

//destroy session

session_start();

session_unset();

session_destroy();

}else{

//user is not suppose to be on this page

//redirect to login page

header("location:login.php");


}

?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!– InstanceBegin template="/Templates/userauth.dwt.php" codeOutsideHTMLIsLocked="false" –>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– InstanceBeginEditable name="doctitle" –>

<title>Project Management::Logout</title>

<!– InstanceEndEditable –>

<!– InstanceBeginEditable name="head" –><!– InstanceEndEditable –>

<link href="Templates/loginstyle.css" rel="stylesheet" type="text/css" />

</head>


<body>

<table width="100%" border="0">

<tr>

<td bgcolor="#6699CC" class="headertxt">Project Management:: User Authentication </td>

</tr>

<tr>

<td><!– InstanceBeginEditable name="main" –>

<table width="100%" border="0">

<tr>

<td width="33%">&nbsp;</td>

<td width="30%">&nbsp;</td>

<td width="37%">&nbsp;</td>

</tr>

<tr>

<td colspan="3"><div align="center" class="loginheader"><strong><?php echo $uname.",";?></strong> you are now logged out. </div></td>

</tr>

<tr>

<td colspan="3"><div align="center" class="loginheader">Click <a href="login.php">here</a> to login </div></td>

</tr>

</table>

<!– InstanceEndEditable –></td>

</tr>

<tr>

<td align="right" class="cright">copyright &copy; 2007 PM</td>

</tr>

</table>

</body>

<!– InstanceEnd –></html>


Conclusion

That’s it for this section of user authentication. In the next section we will discuss password and user management.

[gp-comments width="770" linklove="off" ]

chat sex hikayeleri Ensest hikaye