Lab 5: PHP Sessions
Introduction
This week you will improve and augment the server side processing you started in the previous labs by creating a protected area for your website, accessible only by "members"
Read the entire lab so you see the requirements and know what is coming.
Part 0 - Setting up (5%)
- Directory:You must create a folder in your public_html/IT350 folder called Lab05 and store your work in that directory. To run a script called yourfile.php stored in your Lab05 directory on public_html/IT350, type http://midn.cs.usna.edu/~mXXXXXX/IT350/Lab05/yourfile.php in the address bar of your browser (replace XXXXXX with your alpha). You should COPY your files from Lab04 into this directory and make changes to them here! Make sure you do not modify the files in previous labs folders. Make sure files in previous labs folders are not open in your editor!
- IMPORTANT: To allow the webserver to later create files when running a PHP script, the webserver user might need to have extra permissions on your Lab05 directory. To enable this, ssh into midn.cs.usna.edu. You can use putty or some other tool if you are on a Windows machine. Use your normal USNA credentials. Type the following in the window that appears:
cd ~/public_html/IT350 chmod -R a+rwx Lab05
Part 1 - Create user (15%)
- registration.html: Make sure your registration.html form requires the user to fill in a username or email (the email can be used as a username for many websites, including yours if so desired) and a password. If not, add those to the registration.html form. If you decide the use the email as the username, use the email every time this lab write-up mentions the username.
- submit.php:
- Modify submit.php to add some extra checks: a) check that the username(or email if used as username) and password are not empty (you should hav this check already from previous labs) and b) check that the username (or email if used as username) does not already exist as a username in LOG.txt. As before, if an error is detected, your program should state explicitly what the error was, and allow the user to submit again.
- If no error detected, store all the data in LOG.txt as before, with fields separated by tabs.
Part 2 - Login (75%)
For this part you will write a new form login.html and a new CGI program (in PHP) login.php that allows users to login to your website if valid username/password are provided.- login.html: Create a new form in login.html that allows a user to provide a username and password to login into your website. The action for the form should be login.php.
- login.php: Create a new PHP script login.php that checks whether the username/password combination provided matches the information stored in LOG.txt for some user.
If so, a session variable with the username is created, and the user is redirected to a requestReport.php script you will create next.
If username/password combination is not valid, an error message is displayed and the login form is displayed so the user can enter another username/password. Alternatively, you can just redirect to login.html to allow user to re-enter a username and password (no error message will be displayed in this case)
Note:header("Location: somefile.php")in your PHP script, invoked before any HTML output is produced, will generate a redirect header that the browser will follow to redirect to somefile.php. - index.html: In index.html, add a link to login.html
Part 3 - Protected Pages (90%)
- requestReport.php: Rename your requestReport.html from last lab to requestReport.php. Add PHP code to chech that the user is logged in before displaying this page. If the user is not logged in, display an error message and a link the user can click to go to login.html
- createReport.php: Modify createReport.php to check that the user is logged in before running the code. If the user is not logged in, display an error message and a link the user can click to go to login.html
Part 4 - Logout (95%)
- logout.php: Create a logout.php script that logs out the user by deleting the session variables associated with the user. The logout.php should run only if the user is logged in, otherwise display an error message and a link the user can click to go to login.html. After the user is logged out, the user should not be able to access the protected pages.
- index.html: In index.html, add a link to logout.php.
Challenge Problem - Just a bit more (100%)
- Modify how you store the passwords: instead of storing the passwords in plain text use the password_hash() function to salt and hash the password to get the string that will be stored to file. Modify your login.php script to compare with the hashed passwords when testing whether the username/password provided are valid. Note that you should delete your old LOG.txt file before using the new scripts (with hashed passwords) so you don't have a mix of old and new storage methods for the passwords in the same file.
General Requirements and Deliverables
- Documentation: ensure you have appropriate comments in your PHP scripts.
- Links: Create three links in your top-level IT350.html page
under the heading 'Lab05'
- Under the name 'Index', make a link to your Lab05/index.html
- Under the name 'Login', make a link to Lab05/login.html
- Under the name 'Report', make a link to your Lab05/requestReport.php
-
Always put a README.txt file in the lab directory. At a minimum this file should have:
- *Lab number
- *Your name and alpha
- *Collaborations in completing this lab (people, online sources used outside the course website)
- *How far you got (through which part did you finish)? If you tried any additional parts beyond the one you completed, what did you do?
- *How long this lab took you
- Any suggestions to improve the lab
- Any comments needed for the instructor to review the lab (usernames, passwords, etc.)
- All of your files should be in a folder called Lab05 in your public_html/IT350 folder. >Your instructor will assume that your web pages are viewable at http://midn.cs.usna.edu/~mXXXXXX/IT350/Lab05/login.html where XXXXXX is your alpha number.
- All labs must be complete and saved to the midn.cs.usna.edu drive before you submit your assignment. Do NOT modify your web files after you have submitted your assignment (unless you resubmit, which you can do as often as you like up until the deadline.)
-
Submit all files to the online submissions system (submit.moboard.com)
on or before the due date. This is Lab05. Use the command line submit script and
capture the entire contents of the directory. The easiest way to do this would be to cut and paste the following
while logged onto the server:
This assumes that the submit script is located in ~/bin/ and is executable.cd ~/public_html/IT350 ~/bin/submit -c=IT350 -p=Lab05 Lab05
When finished, the structure of your web site should look like this: (items in blue undergo modification during this lab)
\\midn.cs.usna.edu\mXXXXXX\public_html\IT350
IT350.html (main page with links to all labs)
images/(images folder might optionally change for this lab)
Lab01/
Lab02/
Lab03/
Lab04/
Lab05/
index.html (the main page for your unit/ECA modified to add link to login page)
schedule.html (copied from Lab04)
registration.html (copied from Lab04 and potentially modified)
submit.php (copied from Lab04 and modified for this lab)
LOG.txt (created and updated by the webserver when submit.php is invoked)
login.html (new HTML page created for this lab)
login.php (new PHP script created for this lab)
requestReport.php (new PHP script created for this lab based on the previous requestReport.html)
createReport.php (copied from Lab04 and modified for this lab)
logout.php (new PHP script created for this lab)
Additional Hints/Clarifications
- If
your code is not working, read the error messages in the apache log file.
ssh midn.cs.usna.edu tail -f /var/log/apache2/error.log | grep mXXXXXX
If you have logical errors in your program, try adding extra echo commands to see what parts of the program are executing and what the values received by the prgram are.