Results 1 to 7 of 7

Thread: Login System

  1. #1
    Join Date
    Oct 2004
    Location
    Israel
    Posts
    70

    Login System

    This time it's a bit complex question. A help of an expert would be highly appreciated.
    I am trying to build a site on PHP, but can't think of a good login system for it.
    I was told that the simple one (storing the username and password in the client's cookie and then checking them each time the user loads a page) is pretty much insecure.
    Does anyone have a good algorithm of a secure system for handling users/logins with the remember me options?

    Thanks in advance

  2. #2
    Save userid and a (p.e. md5) hash of the password in cookies.
    So the password is not in plaintext and you can check if the user is authorized to login automatically.
    An alternative: Save a per user random string plus hash of the userid in the cookie everytime the user reads the page in one cookie. So if the cookie is read by a third person it's impossible to say that's user Charly or so on...

  3. #3
    Join Date
    Oct 2004
    Location
    Israel
    Posts
    70
    Oh, I see.
    Thanks.

  4. #4
    No problem ;-)
    And now I go to bed.

    1:22 AM MEST

  5. #5
    Hi,

    Alternatively you can use sessions to store the fact that the user has logged in. This uses a session cookie to send a session ID to/from the browser. The user information is not sent as part of the cookie, but stored on your server.

    Code:
    /* start the session */
    session_start();
    
    if (isset($_POST['user'])
    {
        $result = mysql_query("SELECT * FROM users WHERE user='".mysql_escape_string($_POST['user'])."' AND password='".md5($_POST['pass'])."'", $db);
    
        /* check that at least one row was returned */
        if (($result) && ($row = mysql_fetch_object($result)))
        {
            /* Log the user in */
            $_SESSION['user'] = $_POST['user'];
        }
    }
    
    if (isset($_SESSION['user']))
    {
        echo "logged in as".$_SESSION['user']."<BR>";
    }
    else
    {
        echo "not logged in<BR>";
    }
    Quality web hosting: http://www.z-host.com

  6. #6
    Sure. Using Sessions is (I think) a must. But that's not the 'Remember me' option :-)

  7. #7
    Join Date
    Oct 2004
    Location
    Israel
    Posts
    70
    Oh, thanks everyone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •