What platform is your site running on? Unix or Windows?

What is the goal of having a security system for your site?

If your goal is to simply give users an account so that you can personalize their experience (and get their email) then that wouldn't require much in the way of security. This would pretty much require storing a username, password, email (if not already the username), name, and maybe some demograhpics like birthday, gender, etc. I would use some type of cryptography algorythm to encrypt passwords before storing them in the DB.

But if the goal is to really secure parts of your site so that only certain users can access certain functionality or sensitive data (like credit card numbers, SSNs, etc), this is another entirely different ball of wax. For the latter (a 'real' security system) rolling your own can be a lot of work if done correctly. For this type of security where you might want different users to have different access and privileges, I'd suggest rather than building your own from scratch that you first research whether or not you can build on top of and utilize your operating system's security. The OS is likely to have thought of way more security holes than you will.

Just and idea...

[edited by: ZydoSEO at 4:34 pm (utc) on Jan. 19, 2008]

it is running on a Unix platform.
and im trying to create a file manager type site so i dont have to login through my main control panel. i have the file manager working so thats not a problem. i want to allow different users to be able to login and access only what i give them access to.

here is a link to the file manager page. right now it needs users to login, but im changing the login script as it doesnt suite my needs.

[edited by: eelixduppy at 4:46 am (utc) on Jan. 20, 2008]

ill rephrase what im trying to accomplish.
i have a login script that stores user/pass in a mysql database. each user is limited to one folder. i have a file manager page that the login script redirects to after a successful login. this page allows the user to browse/edit/upload/create files only in their folder.

for example:
/ = root folder. contains login script. only i can access all files.
/billy/ = only billy can access after logging in
/susy/ = only susy can access after logging in
/timmy/ = only timmy can access after logging in

i dont know how to get the file manager page to limit access to a specific folder based on who is logged in.

welcome to WebmasterWorld [webmasterworld.com], dmm!

you could put all the files in folders that are inaccessible to the web and serve the data as requested through the script after checking that the user's session has been established.

nevermind i figured it out. thanks for the help!

please post a resolution - perhaps you can thus help someone else in the future.

To be honest i dont understand it completely. I edited some of the settings in "File Thingie's" code. File Thingie is a free php file manager. i didnt like the login/user recognition so i wrote a new one, then changed the settings in File Thingies code. if you want i can post the code to the login page and the changes i made to File Thingie. you can google File Thingie to get the full source.

Be very careful using other people scripts, especially when

To be honest i dont understand it completely.

Your script and changes may well be very helpful for another person who is looking to try out the same script.

i was being careful. i was talking with the owner of the script about what i was doing.

there are three .php files for the login script. "login.php, logout.php, and session_functions.php"

session_functions.php

<?php

ini_set( 'session.name', 's' );

/* the URL to the login page is defined... */
define( 'URL_LOGIN_PAGE', 'login.php' );

// start the session...
session_start();

/* One of the main functions of this included script is
to check that the page including this script is
being used by a valid user. There is ONE exception:
when the person is actually LOGGING IN. */
if(!defined('LOGGING_IN') )
{
verify_if_valid_user();
}

/* All the relevant functions are listed below. */
//------------------------------------------------
function match_user_in_db( $user, $pass )
{
// connect to mysql db
$dbh=mysql_connect ("localhost", "user", "pass") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("dos_pass");
$sql = 'SELECT `username`,`password`
FROM `account`
WHERE `username` = "'.$user.'"
AND `password` = "'.$pass.'"';
$result = mysql_query( $sql, $dbh );
if( mysql_num_rows($result)==1 )
{
$_SESSION['valid_user'] = mysql_result( $result, 0, 0 );
/* the php.ini setting for 'session.use_trans_sid' should be 1
for the following line to work, so if this script doesn't seem
to be working well for you, you know where to look! */
die( header('location:index.php?'.SID) );
}
else
{
die( header('location:'.URL_LOGIN_PAGE) );
}
}

function process_login()
{
/* Used ONLY in the LOGIN page. */
$username = mysql_escape_string( trim($_POST['username']) );
/* if you store the passwords without using md5,
of course, edit the following line too. */
$password = md5( trim($_POST['password']) );
match_user_in_db( $username, $password );
}

function process_logout()
{
/* used ONLY in the LOGOUT page. */
session_destroy();
unset( $_SESSION );
die( header('location:'.URL_LOGIN_PAGE) );
}

function verify_if_valid_user()
{
if(!isset($_SESSION['valid_user']) )
{
// user not logged in yet!
// re-direct them to the login page
die( header('location:'.URL_LOGIN_PAGE) );
}
}
?>

login.php

<?php
if( isset($_POST['user_login']) )
{
define( 'LOGGING_IN', true );
// include the 'session functions' file
include_once( 'session_functions.php' );
process_login();
}
else
{
?>
<html>
<head>
<title>Login Page</title>
</head>
<body>
<h1>Login Here</h1>
<form name="loginform" id="loginform" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
<p>
<input name="username" type="text" id="username" size="30" maxlength="30" />
Username</p>
<p>
<input name="password" type="password" id="password" size="30" maxlength="30" />
Password</p>
<p>
<input type="submit" name="user_login" value="Submit" />
</p>
</form>

</body>
</html>

<?php
}
?>

logout.php

<?php
include_once( 'session_functions.php' );
process_logout();
?>

---------------
Changes to FileThingie

/* This code checks if user is logged in. If not logged in, user is redirected to login script. should be put on all password protected pages. goes at very top of script */
include_once( 'example_session_functions.php' );
if (strcmp($_SESSION['valid_user'], "") == 0) {
die( header('location:'.URL_LOGIN_PAGE) );
}

/*checks what the valid dir is, also giving "root" access to main dir. Should be placed towards the top of script*/
if (strcmp($_SESSION['valid_user'], "root") == 0) {
$login_dir = "../..";
}
else {
$login_dir = "$_SESSION[valid_user]";
}

/* Also change these settings from the default value.*/
Default
define("_DIR", "."); // Your default directory. Do NOT include a trailing slash!
define("_DISABLELOGIN", FALSE); // Set to TRUE if you want to disable password protection.

Change To
define("_DIR", "$login_dir"); // Your default directory. Do NOT include a trailing slash!
define("_DISABLELOGIN", TRUE); // Set to TRUE if you want to disable password protection.

/* About halfway down the script is the code for the logout link. Need to change it to display the correct link.*/
Change From:

// Display logout link.
if (DISABLELOGIN == FALSE) {
$str .= '<p id="logout">';
if (isset($users) && @count($users) > 0 && DISABLELOGIN == FALSE) {
$str .= t('Logged in as!user ', array('!user' => $_SESSION['ft_user_'.MUTEX]));
}
$str .= makeLink(t("[logout]"), "act=logout", t("Logout of File Thingie")).'</p>';
}

Change To:

// Display logout link.
if (DISABLELOGIN == TRUE) {
$str .= '<p id="logout">';
if (isset($users) && @count($users) > 0 && DISABLELOGIN == TRUE) {
$str .= t('Logged in as!user ', array('!user' => $_SESSION['valid_user']));
}
$str .= '<a href="logout.php">[logout]</a></p>';
}

There ya go! hope people get a use out of it. if you need clarification, let me know.