User Authentication

100 points

User Authentication

Requirements

Comments placed the source code file5
New users can register25
Users can login30
Page security/authentication enforced30
Admin user can remove other users10
Total100 pts

Resources

Objective

To use sessions to manage user logins

Instructions

For this lab you will create a website that consists of three types of pages, those accessible to anyone, those accessible to logged in users, and those accessible to logged in administrators.

Pages that can be accessed by anyone should include a homepage, a login page, and a registration page. The registration page should provide a form that will allow a new user of the system to register themselves which will add them to the users table of a database that is used to authenticate users (usernames must be unique). The login page should then collect a users name and password. If the username/password combination match a registered user in the user table then the user should be "logged in" and allowed to access the second type of page, those accessible to logged in users. If the user is logged in a logout link should included on all pages.

The page accessible to logged in users should be a shopping cart page (you DO NOT need to actually implement a shopping cart at this time).

If the user logged in is an administrator (a user in the user table that has admin authority), they should have access to a page that allows users to be removed from the system. Use the following SQL statements to create a users table and to add one administrative user to the table.

create table users (
  id int not null auto_increment,
  username varchar( 50 ) not null,
  password varchar( 100 ) not null,
  authority varchar( 10 ) not null default 'user', 
  primary key(id)
)

insert into users (username,password,authority) values ('root','password','admin')

Because the authority of all users registering themselves will be 'user', the default for that field, nothing needs to be entered for authority for new users.

Example:

insert into users (username,password) values ('jjohnson','password')

When a logged in administrator needs to remove a user the following SQL statement can be used.

delete from users where id='00'

The actual id for the user to be removed should be substituted for '00'.

select * from users where username='" . $uname . "' and password = '" . $pw . "'"

This statement can be used to check for a username/password combination in the users table. This statement assumes that the persons username is in the $uname variable and their password is in the $pw variable. If this query returns one record then the user with that username/password was found.