Gane.ca

I am a big fan of having a toolbox for web items. These items can be free designs, or neat addons for Wordpress or Joomla, or jQuery things I would like to try and use. Sometimes they are also tidbits of code that I find myself needing to reuse, or draw upon again. One such tidbit of code is a simple admin login system I built some time ago.

In less then a half-dozen pages, I provide a way to give a password protected area of the site, the ability to change the password and logout. Nothing revolutionary I assure you, but helpful to have handy at the very least.

login.php

The Code

     
session_start();
//set action for switch.
if(isset($_REQUEST['action'])){ $action = $_REQUEST['action']; }
else $action = '';

switch($action) {
  case 'logout':
    session_destroy();
    session_start();
    $_SESSION["error"] = "Logged out.";  
    header("Location:login.php");
    exit;
    break;    
  case 'login':
    include_once ('config.php');
    $user = $_REQUEST['username'];  
    $passw = $_REQUEST['password'];  
    $query = "SELECT `uid` FROM `adminusers` WHERE `username` = '$user' AND `password` = MD5(  '$passw' )" ;
    $result = mysql_query($query); 
    
    if (mysql_num_rows($result) == 1){
      $_SESSION["login"] = "true";  
      header("Location:index.php"); 
    } else {  
     $_SESSION["error"] = "Wrong username or password. Try again.";  
     header("Location:login.php");  
    }
    break;
  default:
  if ($_SESSION["login"] == "true"){ header("Location:index.php"); exit; }  
 
  
  
  
  
  
   
   
     
Please log in
       echo $_SESSION["error"];     
     
  
   
  
   
   
     
 
login
  
     
 
   
           
       
  
   
  
   
   
     
 
password
  
     
 
   
           
       
  
   
  
   
   
     
   
           
             
           
       
  
   
  
  
  

  }  
  

The Logic
How it works is really simple: you have a switch, a style I like to use, that does one of two things. By Default, it will create a form that will take your password and username in and pass it threw to the other piece of the switch.

The other piece of the switch is also simple, it will verify the username and password (currently set up against a database), and then create a session. Clearly the logout piece of functionality will destroy that session and redirect you back to the login form.

index.php

The Code

   
 include ('session.php'); //checks session
 include ('config.php'); //database
 
  
  
  
   
   
      
Administration Side
  
   
  
   
   
     
 
Successful Login
     
   
                                                                    
   
   
      
Logout | Change Password
  
   
 
  
  

  

The Logic
Nothing to this page, as it only provides links to the logout and the ability to change the password. The supporting files included provide the database information (if needed to provide a table of result for example) and validates the session.

password.php

The Code

   
 include ('session.php'); //checks session
 include ('config.php'); //database
 //Sets action for switch
 if (isset($_REQUEST['action'])) $action = $_REQUEST['action'];
 else $action = "";
 
 switch($action) {
  case 'update':
    $user = $_REQUEST['username'];  
    $passw = $_REQUEST['password'];  
    $query = "SELECT `uid` FROM `adminusers` WHERE `username` = '$user' AND `password` = MD5(  '$passw' )" ;
    $result = mysql_query($query); 
    
    if (mysql_num_rows($result) == 1){
      $row = mysql_fetch_array($result);
      if ($_REQUEST['password1'] == $_REQUEST['password2']) {
        $query = "UPDATE adminusers SET `password` = MD5('".$_REQUEST['password1']."') WHERE uid = '".$row['uid']."'"; 
        mysql_query($query);
        $status = "Success!
";
        }
        else {$status = "New passwords did not match. Try again.
";}  
    } else { $status = "Wrong username or password. Try again.
"; }
  default:
   
    
    
  
  
  
  
  
     
   
       
  echo $status;  Change Password
       
  
     
  
     
   
       
 
Username
  
       
 
   
             
         
  
     
  
     
   
       
 
current password
  
       
 
   
             
         
  
     
     
  
     
   
       
 
new password
  
       
 
   
             
         
  
     
  
     
   
       
 
repeat password
  
       
 
   
             
         
  
     
  
     
   
       
   
             
               
             
         
  
     
     
   
      
Administrator Home | Logout
  
     
 
  
  
  
  
    
  
   
  }
 
  

The Logic
Very similar to the login page with its use of switches to control the actions. The form that is provided by default, asks for the username, and current password, and asks for the new password twice.

The update portion will confirm that you have the correct username and password, and that the provided new passwords work before applying them. Regardless of the success or failure of the attempt, it will return you to the form, and provide a status message.

Supporting pages: database.php & sessions.php

The Code

   
$host = 'localhost';
$user = 'root';
$pass = '';
$dbname = 'test';

$conn = mysql_connect($host, $user, $pass) or die ('Error connecting to mysql');
mysql_select_db($dbname);

 
  

        
session_start();     
    
if ($_SESSION["login"] != "true"){     
 header("Location:login.php");     
 $_SESSION["error"] = "You need to login to see adminintration side.";     
 exit;     
}

 
  

The Logic
These two pages are the support pages, and provide very simple but very helpful code. The database.php will not only contain the information for connecting to the database, it will also create the connection. The session.php, which should be at the beginning of every page on your admin side, will look for the right session. If that session isn't available, it will redirect you to login.php.

Final Thoughts

I realize this isn't the most secure solution, and wouldn't last a second in many environments in danger of attack. But for the environments I provide and deploy it in, it is simple, easy, and really does the trick.