Results 1 to 7 of 7
Thread: Login System
-
06-06-2005, 06:16 PM #1Junior Guru Wannabe
- Join Date
- Oct 2004
- Location
- Israel
- Posts
- 70
Login System
This time it's a bit complex question. A help of an expert would be highly appreciated.
I am trying to build a site on PHP, but can't think of a good login system for it.
I was told that the simple one (storing the username and password in the client's cookie and then checking them each time the user loads a page) is pretty much insecure.
Does anyone have a good algorithm of a secure system for handling users/logins with the remember me options?
Thanks in advance
-
06-06-2005, 07:15 PM #2New Member
- Join Date
- Jun 2005
- Location
- Hamburg
- Posts
- 3
Save userid and a (p.e. md5) hash of the password in cookies.
So the password is not in plaintext and you can check if the user is authorized to login automatically.
An alternative: Save a per user random string plus hash of the userid in the cookie everytime the user reads the page in one cookie. So if the cookie is read by a third person it's impossible to say that's user Charly or so on...
-
06-06-2005, 07:21 PM #3Junior Guru Wannabe
- Join Date
- Oct 2004
- Location
- Israel
- Posts
- 70
Oh, I see.
Thanks.
-
06-06-2005, 07:22 PM #4New Member
- Join Date
- Jun 2005
- Location
- Hamburg
- Posts
- 3
No problem ;-)
And now I go to bed.
1:22 AM MEST
-
06-07-2005, 07:50 AM #5Newbie
- Join Date
- May 2005
- Posts
- 14
Hi,
Alternatively you can use sessions to store the fact that the user has logged in. This uses a session cookie to send a session ID to/from the browser. The user information is not sent as part of the cookie, but stored on your server.
Code:/* start the session */ session_start(); if (isset($_POST['user']) { $result = mysql_query("SELECT * FROM users WHERE user='".mysql_escape_string($_POST['user'])."' AND password='".md5($_POST['pass'])."'", $db); /* check that at least one row was returned */ if (($result) && ($row = mysql_fetch_object($result))) { /* Log the user in */ $_SESSION['user'] = $_POST['user']; } } if (isset($_SESSION['user'])) { echo "logged in as".$_SESSION['user']."<BR>"; } else { echo "not logged in<BR>"; }
Quality web hosting: http://www.z-host.com
-
06-07-2005, 07:52 AM #6New Member
- Join Date
- Jun 2005
- Location
- Hamburg
- Posts
- 3
Sure. Using Sessions is (I think) a must. But that's not the 'Remember me' option :-)
-
06-07-2005, 09:08 AM #7Junior Guru Wannabe
- Join Date
- Oct 2004
- Location
- Israel
- Posts
- 70
Oh, thanks everyone!