Hej.

Założenie jest aby nie używać baz danych.

Funkcjonalności:
* Logowanie jako użytkownik + hasło lub samo hasło
* Max. próba logowań (bazowano na IP logującego)
* Prostota? (do waszej oceny)
* Bezpieczeństwo? (do waszej oceny)
* questionmark.gif


Dzięki!

PS: Tak, styl forma jest zerżnięty z Githuba, proszę już mnie za to nie karcić.

edit: dodałem komentarze ohno-smiley.gif

Usage
[PHP] pobierz, plaintext 
  1. <?
  2. require_once('authPage.php');
  3.  
  4. echo 'Logged in!';	
  5. ?>
[PHP] pobierz, plaintext



authPage.php
[PHP] pobierz, plaintext 
  1. <?
  2. /*
  3.  
  4. Config BEGIN
  5.  
  6. username => password
  7. username should contain alphameric chars only
  8.  
  9. */
  10.  
  11. $DATA = array(
  12.   'admin' => 'password',
  13.   'user' => 'qwert123',
  14. );
  15.  
  16.  
  17. define('USERNAMES', true);		// Choose between using Username or Username + Password auth (true/false)
  18. define('TIMEOUT', 30); 			// How long user should stay logged in (set 0 for unlimited time) [in minutes]
  19. define('BANTIME', 15); 			// How long should IP ban after X fail login attempts last [in minutes]
  20. define('MAX_ATTEMPTS', 5); 		// Max. number of fail login attempts (int > 0)
  21.  
  22.  
  23. /*
  24.  
  25. Cofnig END
  26. Do NOT edit code below (unless you know what you are doing)
  27.  
  28. */ 
  29.  
  30. ob_start( );
  31. session_start( );
  32.  
  33.  
  34. $Timeout = TIMEOUT == 0 ? pow(999, 3) : TIMEOUT * 60;
  35. $Bantime = BANTIME * 60;
  36. $RemoteIP = $_SERVER['REMOTE_ADDR'];
  37.  
  38. // Retrieve file name
  39. $FilePath = $_SERVER['SCRIPT_NAME'];
  40. $Break = Explode('/', $FilePath);
  41. $File = $Break[count($Break) - 1]; 
  42.  
  43. if( isset($_GET['logout']) ) {
  44.  
  45. 	$_SESSION['SLS_LOGGED'] = false;
  46.  
  47. 	header( 'Location: ' . $File );
  48.  
  49. 	die( );
  50.  
  51. }
  52.  
  53. // Check if max fail login attempts is 1 or greater
  54. if( MAX_ATTEMPTS < 1 )
  55. 	die('Max attempts must be 1 or grater!');
  56.  
  57. // Form submit
  58. if ( isset($_POST['commit']) )
  59. {
  60.  
  61. 	$Login = USERNAMES ? strtolower(trim($_POST['access_login'])) : '';
  62. 	$Password = $_POST['access_password'];
  63.  
  64. 	$LeftAttempts = 0;
  65.  
  66. 	// Load ban XML
  67. 	$DOM = new DOMDocument();
  68. 	$DOM->load('authPage.xml');		
  69. 	$Attempts = $DOM->getElementsByTagName('attempt');
  70. 	$Found = false;
  71. 	$FoundAttempt = NULL;
  72.  
  73.  
  74. 	foreach( $Attempts as $Attempt )
  75. 	{
  76. 		// Check if IP already exists in XML [ref 01]
  77. 		if( $Attempt->getElementsByTagName('Remoteip')->item(0)->getAttribute('val') == $RemoteIP );
  78. 		{
  79. 			$Found = true;
  80. 			$FoundAttempt = $Attempt;
  81.  
  82. 			// Check if IP is already banned
  83. 			if ( $FoundAttempt->getElementsByTagName('Banned')->item(0)->getAttribute('val') == '1' )
  84. 			{
  85.  
  86. 				// Check if bantime already passed
  87. 				$TimePassed = time( ) - $FoundAttempt->getElementsByTagName('Timestamp')->item(0)->getAttribute('val');
  88.  
  89. 				if ( $TimePassed > $Bantime )
  90. 				{
  91. 					// It did, therefore remove the ban and continue executing
  92. 					removeBans($FoundAttempt);
  93. 				}
  94. 				else
  95. 				{
  96. 					// It didn't, show Login form with banned message and terminate
  97. 					showLoginPasswordProtect('Banned.');
  98. 					die( );
  99. 				}
  100. 			}
  101. 		}
  102. 	}
  103.  
  104. 	// If IP wasn't found in XML, create an entry and store first login attempt	[ref 02]
  105. 	if( !$Found )
  106. 	{
  107. 		$_MainNode = $DOM->createElement('attempt');
  108. 		$DOM->getElementsByTagName('attempts')->item(0)->appendChild($_MainNode);
  109.  
  110. 		$_Remoteip = $_MainNode->appendChild( $DOM->createElement( 'Remoteip' ) );	
  111. 		$_Remoteip->setAttribute('val', $RemoteIP);
  112.  
  113. 		$_Attempts = $_MainNode->appendChild( $DOM->createElement( 'Attempts' ) );	
  114. 		$_Attempts->setAttribute('val', '1');
  115.  
  116. 		$_Banned = $_MainNode->appendChild( $DOM->createElement( 'Banned' ) );	
  117. 		$_Banned->setAttribute('val', '0');
  118.  
  119. 		$_Timestamp = $_MainNode->appendChild( $DOM->createElement( 'Timestamp' ) );	
  120. 		$_Timestamp->setAttribute('val', '0');
  121.  
  122. 		$LeftAttempts = MAX_ATTEMPTS - 1;
  123.  
  124. 		$DOM->save('authPage.xml');
  125. 	}
  126.  
  127. 	// Login FAILED  
  128. 	if ( !USERNAMES && !in_array($Password, $DATA) || ( USERNAMES && ( !array_key_exists(strtolower(trim($Login)), $DATA) || $DATA[strtolower(trim($Login))] != $Password ) ) )
  129. 	{		
  130. 		// IP has been previously found [ref 01]
  131. 		if ( $Found )
  132. 		{	
  133.  
  134. 			$AttempsCount = $FoundAttempt->getElementsByTagName('Attempts')->item(0)->getAttribute('val'); // Retrieve number of attempts
  135. 			$AttempsCount++; // Increase attempts count by one
  136.  
  137. 			// Check if number of attempts matches (or exceeds -- possible?) max number of fail login attempts...					
  138. 			if( $AttempsCount < MAX_ATTEMPTS )
  139. 			{
  140. 				$LeftAttempts = MAX_ATTEMPTS - $AttempsCount; // Var to display left no of attempts
  141.  
  142. 				$FoundAttempt->getElementsByTagName('Attempts')->item(0)->removeAttribute('val');	
  143. 				$FoundAttempt->getElementsByTagName('Attempts')->item(0)->setAttribute('val', $AttempsCount); // Change attempts no
  144.  
  145. 				showLoginPasswordProtect('Incorrect Login and/or Password. ' . $LeftAttempts . ' attempt(s) left' );
  146. 			}
  147. 			// If so, ban IP address
  148. 			else
  149. 			{
  150. 				$FoundAttempt->getElementsByTagName('Banned')->item(0)->removeAttribute('val');
  151. 				$FoundAttempt->getElementsByTagName('Banned')->item(0)->setAttribute('val', '1'); // Ban
  152.  
  153. 				$FoundAttempt->getElementsByTagName('Timestamp')->item(0)->removeAttribute('val');
  154. 				$FoundAttempt->getElementsByTagName('Timestamp')->item(0)->setAttribute('val', time()); // Timestamp when banned
  155.  
  156. 				showLoginPasswordProtect('Banned.');
  157. 			}
  158.  
  159. 			$DOM->save('authPage.xml');				
  160.  
  161. 		}
  162. 		// Display login form (ip not found) [ref 02]
  163. 		else
  164. 			showLoginPasswordProtect('Incorrect Login and/or Password. ' . $LeftAttempts . ' attempt(s) left' );
  165.  
  166. 		die( ); // Terminate after fail login attempt
  167.  
  168. 	}
  169. 	// Login success
  170. 	else 
  171. 	{
  172.  
  173. 		removeBans($FoundAttempt); // Remove bancount/ban (if any)
  174. 		$DOM->save('authPage.xml');	
  175.  
  176. 		$_SESSION['SLS_LOGGED'] = true; // Logged in
  177. 		$_SESSION['SLS_TIMEOUT'] = time( ) + $Timeout; // Timeout
  178.  
  179. 		unset($_POST); // Browser keep the post data anyway *dang*
  180.  
  181. 		header( 'Location: ' . $File ); // But we will force it to drop them!
  182.  
  183. 		die( ); // Always secured
  184.  
  185. 	}
  186.  
  187. }
  188. // No form has been submitted
  189. else
  190. {
  191. 	// Check if session expired.
  192. 	if( isset($_SESSION['SLS_TIMEOUT']) && time( ) > $_SESSION['SLS_TIMEOUT'] )
  193. 	{
  194. 		$_SESSION['SLS_LOGGED'] = false;
  195.  
  196. 		showLoginPasswordProtect('Session expired.');
  197.  
  198. 		die( );
  199. 	}
  200.  
  201. 	// Check if logged in
  202. 	if( !$_SESSION['SLS_LOGGED'] )
  203. 	{
  204.     	showLoginPasswordProtect('');
  205.  
  206. 		die( );	
  207. 	}
  208.  
  209. 	// If logged in, keep session alive
  210. 	$_SESSION['SLS_TIMEOUT'] = time( ) + $Timeout;
  211.  
  212. }
  213.  
  214. // Display login form
  215. function showLoginPasswordProtect($error) 
  216. {
  217.  
  218. ?>
  219. 	<html lang="en">
  220. 	<head>
  221.  
  222.             <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  223.             <title>Login Panel</title>
  224. 			<link href="authPage.css" type="text/css" rel="stylesheet"/>
  225.  
  226. 	</head>
  227.  
  228. 	<body>
  229.  
  230.     <div class="login_form" id="login">
  231.  
  232.         <!-- Login form template `borrowed` from Github.com -->
  233.  
  234.         <form method="post" action="<? print $GLOBALS['File'] ?>">
  235.  
  236. 			<h1>Log in</h1>
  237.  
  238. 			<div class="formbody">
  239.  
  240. 			<?
  241.  
  242. 				if( !empty($error) )
  243. 					print '<div class="error_box">' . $error . '</div>';
  244.  
  245. 				if ( USERNAMES )
  246. 				{
  247.  
  248. 			?>		
  249.  
  250. 				<label for="login_field">
  251.  
  252. 					Login<br />
  253.  
  254. 					<input type="text" tabindex="1" style="width: 21em;" name="access_login" id="login_field" class="text" autocapitalize="off">
  255.  
  256. 		        </label>
  257.  
  258. 			<?
  259.  
  260. 				}
  261.  
  262. 			?>
  263.  
  264. 				<label for="password">
  265.  
  266. 					Password<br />
  267.  
  268. 					<input type="password" value="" tabindex="2" style="width: 21em;" name="access_password" id="password" class="text" autocomplete="disabled">
  269.  
  270. 				</label>
  271.  
  272. 				<label class="submit_btn">
  273.  
  274. 					<input type="submit" value="Log in" tabindex="3" name="commit">
  275.  
  276. 				</label>
  277.  
  278. 			</div>
  279.  
  280. 		</form>
  281.  
  282. 	</div>
  283.  
  284. </body>
  285.  
  286. </html>
  287.  
  288. <?
  289.  
  290. }
  291.  
  292. // Remove bans function
  293. function removeBans($input) 
  294. {
  295. 	$input->getElementsByTagName('Attempts')->item(0)->removeAttribute('val');
  296. 	$input->getElementsByTagName('Attempts')->item(0)->setAttribute('val', '0');
  297.  
  298. 	$input->getElementsByTagName('Banned')->item(0)->removeAttribute('val');
  299. 	$input->getElementsByTagName('Banned')->item(0)->setAttribute('val', '0');	
  300.  
  301. 	$input->getElementsByTagName('Timestamp')->item(0)->removeAttribute('val');
  302. 	$input->getElementsByTagName('Timestamp')->item(0)->setAttribute('val', '0');	
  303. }
  304.  
  305. ob_end_flush();
  306. ?>
[PHP] pobierz, plaintext



authPage.xml
[XML] pobierz, plaintext 
  1. <?xml version="1.0" encoding="utf-8"?>
  2. <attempts></attempts>
[XML] pobierz, plaintext



authPage.css
http://ideone.com/ZtPJl (nie zmieściło się do posta + mało istotne)


--- QUIT ---