[FAQ] How to implement a login system?
R. Rajesh Jeba Anbiah
A: Use sessions. When the user logins, store the session id in the
database and then compare the current session id with the one stored in
the database on every page. May also check IP; but it may break if the
user is behind proxy.
Refer:
http://www.php.net/session
http://www.mt-dev.com/2002/07/creating-a-secure-php-login-script/
http://www.mt-dev.com/2002/09/php-login-script/
+++++
@todo Info about other authentications, better link to the login
implementation (above links use obsolete style)
Nicholas Sherlock
> Q: How to implement a login system?
> A: Use sessions. When the user logins, store the session id in the
> database and then compare the current session id with the one stored in
> the database on every page. May also check IP; but it may break if the
> user is behind proxy.
Hm.. I'm currently running things so that when the user logs in, I store
the user's ID as a session variable, then check that ID in every page to
see if the user is logged on, and who it is. Are there any problems with
this scheme?
Cheers,
Nicholas Sherlock
Brent Palmer
Don't forget to refresh your page to acknowledge if the user is still logged
in or not. That way if the user has not updated the session they must be
logged off.
Brent Palmer.
"Nicholas Sherlock" <n_she...@hotmail.com> wrote in message
news:d13fbu$2bc$1...@lust.ihug.co.nz...
R. Rajesh Jeba Anbiah
> Hm.. I'm currently running things so that when the user logs in, I store
> the user's ID as a session variable, then check that ID in every page to
> see if the user is logged on, and who it is. Are there any problems with
> this scheme?
Such system allows multiple logins, though both systems allow
session hijacking (if without IP/user agent checking)
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Chung Leong
news:1110738982....@g14g2000cwa.googlegroups.com...
> Q: How to implement a login system?
> A: Use sessions. When the user logins, store the session id in the
> database and then compare the current session id with the one stored in
> the database on every page. May also check IP; but it may break if the
> user is behind proxy.
A rather large topic to cover. A link to a tutorial might be more suitable
here.
The issue of multiple login under the same user should be dealt with
separately, I think.
R. Rajesh Jeba Anbiah
> > Q: How to implement a login system?
> > A: Use sessions. When the user logins, store the session id in the
> > database and then compare the current session id with the one
stored in
> > the database on every page. May also check IP; but it may break if
the
> > user is behind proxy.
>
> A rather large topic to cover. A link to a tutorial might be more
suitable
> here.
I'm not sure, if the links I added isn't enough.
> The issue of multiple login under the same user should be dealt with
> separately, I think.
So, please fix it and post revised contents.
R. Rajesh Jeba Anbiah
1. Basic login system:
When the user logins, set a cookie or session variable and expect
that variable in every pages.
2. Sessions based login:
a. When the user logins, store the session id in the database and
then compare the current session id with the one stored in the database
on every page.
c. Check logged in user's browser on every page. May use the user
agent string ($_SERVER['HTTP_USER_AGENT']) or hash of it.
Caveats:
(1) will definitely allow multiple logins and may allow session
hijacking.
(2a) alone may allow session hijacking.
(2b) may break if the user is behind proxy.
(2b)&(2c) If session alone (without storing in database) is used as a
storage, it may break.
(1), (2a), (2c with database) may provide enough security.
Refer:
http://www.php.net/session
http://www.mt-dev.com/2002/07/creating-a-secure-php-login-script/
http://www.mt-dev.com/2002/09/php-login-script/
+++++
@revision 2 Fixed answer for clarity. See Chung's comment
@todo Info about other authentications, better link to the login
implementation (above links use obsolete PHP style)