A Simple Login Script

The simple login script described here uses a "hard-wired" username and password to login and gain access to a protected web page (a more sophisticated version that allows the username and password of multiple users to be stored in a MySQL database is described in a later page). Since the login script is intended to allow access to other web pages on our website to authorised users only, we need to ensure that users cannot simply bypass the login script once they discover the filename of the page we are trying to protect. To this end, we will incorporate some of the things we have learned about sessions to make sure this cannot happen. We will create a login page that establishes a session and asks the user to enter a username and password. If the credentials entered by the user match those hard-coded into the script, a session variable called login will be set to "OK", and the user will be directed to the protected page. The protected page will retrieve the value of login from the $_SESSION associative array to check that its value is "OK", which will only be true if the user has logged in with a valid username and password. If this turns out not to be the case, the user is redirected to the login screen.

The code that does the checking can be included in every page in a protected area in a website. In the example below, the code at the top of the page calls the session_start() function and checks whether or not the login session variable for the current session is equal to "OK". If not, the user is redirected to the "login.php" page and the script terminates. Otherwise, the page tells the user they have logged in, and displays their username and password. In the root of your XAMPP server (on my computer, this would be X:\xampp\htdocs), create a file called "protected.php" and paste in the following code:

<?php
  session_start();
  if($_SESSION['login'] != "OK")
  {
    header('Location: login.php');
    exit();
  }
?>

<html>

  <head>
    <title>Protected Web Page</title>
  </head>

  <body>
    <h1>Protected Web Page</h1>

  <?php
    echo "<p>You have successfully logged in!</p>";
    echo "<p>Your username is: ";
    echo $_SESSION['username'];
    echo "<br/>";
    echo "Your password is: ";
    echo $_SESSION['password'];
    echo "</p>"
  ?>

  </body>

</html>

We will now create the login page, which uses a form to allow the user to enter a username and password. Create a file called "login.php" and paste in the following code:

<?php
  $user = "";
  $pass = "";
  $validated = false;

  if ($_POST)
  {
    $user = $_POST['username'];
    $pass = $_POST['password'];
  }

  session_start();
  if($user!=""&&$pass!="")
  {
    if($user=="jsmith"&&$pass=="letmein") $validated = true;
    if($validated)
    {
      $_SESSION['login'] = "OK";
      $_SESSION['username'] = $user;
      $_SESSION['password'] = $pass;
      header('Location: protected.php');
    }
    else
    {
      $_SESSION['login'] = "";
      echo "Invalid username or password.";
    }
  }
  else $_SESSION['login'] = "";
?>

<html>
  <head>
    <title>Login Page</title>
  </head>

  <body>

    <h1>Login Page</h1>

    <p>Please enter your username and password:</p>

    <form action="login.php" method="post">
      <table>
        <tr>
          <td align="right">Username: </td>
          <td><input size=\"20\" type="text" size="20" maxlength="15" name="username"></td>
        </tr>
        <tr>
          <td align="right">Password: </td>
          <td><input size=\"20\" type="password" size="20" maxlength="15" name="password"></td>
        </tr>
        <tr>
          <td> </td>
          <td colspan="2" align="left"><input type="submit" value="Login"></td>
        </tr>
      </table>
    </form>
  </body>
</html>

The login page and the output from "protected.php" resulting from a successful login are shown below:


The login page

The login page



The output from protected.php

The output from protected.php