Password Protect Php Page that sets user for next page and still checks password

Question

I have been able to have either a password protected page or a page that displays the user info on entry but can not make them work together. I know I am missing something simple but I have been looking at it too long:

    <?php

$db_host = "localhost"; 
$db_username = "1"; 
$db_pass = "1"; 
$db_name = "1"; 
mysql_connect("$db_host","$db_username","$db_pass") or die(mysql_error()); 
mysql_select_db("$db_name") or die ("no database");

$email =  mysql_query ("SELECT email FROM maindata2");
while($row=mysql_fetch_array($email)) { $allemail = $row['email'];
}

$LOGIN_INFORMATION = array(
  'email' => 'pass',






);


// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', true);

// User will be redirected to this page after logout
define('LOGOUT_URL', 'http://www.wwwww.com/');

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 60);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', true);


// show usage example
if(isset($_GET['help'])) {
  die('Include following code into every page you would like to protect, at the very beginning (first line):<br>&lt;?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?&gt;');
}

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
   header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<html>
<head>
  <title>Please enter password to access this page</title>
  <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
  <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<?php include_once "meta1.php"; ?>
</head>
<body>
<?php include_once "header.php"; ?>

<div id="main-content">
  <style>
    input { border: 1px solid black; }
  </style>
  <div style="width:500px; margin-left:auto; margin-right:auto; text-align:center">

<div id="form1">
  <form name="form2" method="POST" action="display.php"> 
    <h3>Please enter password to access this page</h3>
    <font color="red"><?php echo $error_msg; ?></font><br />
<?php if (USE_USERNAME) echo 'Email Address:<br /><input type="input" name="access_login" /><br />Password:<br />';  ?>
    <input type="password" name="access_password" /><p></p><br /><input type="submit" name="Submit" value="Submit" /> 
  </form>
  <br />
<br />
<a style="font-size:12px; color: #000; font-family: Verdana, Arial;" href="http://wwwwww.com/contact" title="Contact us">Forgot Your Password?</a>
  </div>

<br>
<center><b>Existing Customers, please contact to request a login user name and password</b>
<br>
<br>
<a href="#" onClick="window.open('http://www.wwww.com/images/sampledata.png', 'WindowC', 'width=850, height=600,scrollbars=yes');">View Sample Data</a></center>


</div>
<br>
<br>
</div>
</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
$pass = $_POST['access_password'];
$login = strtolower($login);
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) ) 
  ) {
    showLoginPasswordProtect("Incorrect password.");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');

    // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
    // So need to clear password protector variables

  }

}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
  }

}

?>

Right now the user can enter their email and go straight to the display page and it passes the information on and displays everything perfectly the only problem is that is does not check the password first, I understand that it is the order I have set up, but can not figure out how to make it work.

Answer 1

That is a strange way of handling password access. First of all you should never send password data back to the user, even if somewhat encrypted. I'd advice you to use a session. Call session_start(); before your verification part begins. At the password verification part you could write the username into your session when the login is correct like $_SESSION['login'] = $login; which makes the verification of logged in users easier, too, like if (array_key_exists('login', $_SESSION)) { echo "Im am a logged in user!"; } else { echo "Please log in now!"; } if (array_key_exists('login', $_SESSION)) { echo "Im am a logged in user!"; } else { echo "Please log in now!"; } if (array_key_exists('login', $_SESSION)) { echo "Im am a logged in user!"; } else { echo "Please log in now!"; } . As you may see, much less code and way more secure. In addition, your SQL currently does nothing, as all email adresses overwrite each other and the result isn't even used. You should close your connection, too, and not just die(); .