[FAQ] How to implement a login system?

12 views
Skip to first unread message

R. Rajesh Jeba Anbiah

unread,
Mar 13, 2005, 1:36:22 PM3/13/05
to
Q: How to implement a login system?
A: Use sessions. When the user logins, store the session id in the
database and then compare the current session id with the one stored in
the database on every page. May also check IP; but it may break if the
user is behind proxy.

Refer:
http://www.php.net/session
http://www.mt-dev.com/2002/07/creating-a-secure-php-login-script/
http://www.mt-dev.com/2002/09/php-login-script/

+++++
@todo Info about other authentications, better link to the login
implementation (above links use obsolete style)

Nicholas Sherlock

unread,
Mar 14, 2005, 2:43:47 AM3/14/05
to
R. Rajesh Jeba Anbiah wrote:
> Q: How to implement a login system?
> A: Use sessions. When the user logins, store the session id in the
> database and then compare the current session id with the one stored in
> the database on every page. May also check IP; but it may break if the
> user is behind proxy.

Hm.. I'm currently running things so that when the user logs in, I store
the user's ID as a session variable, then check that ID in every page to
see if the user is logged on, and who it is. Are there any problems with
this scheme?

Cheers,
Nicholas Sherlock

Brent Palmer

unread,
Mar 14, 2005, 3:06:10 AM3/14/05
to
That sounds right.
Don't forget to refresh your page to acknowledge if the user is still logged
in or not. That way if the user has not updated the session they must be
logged off.

Brent Palmer.

"Nicholas Sherlock" <n_she...@hotmail.com> wrote in message
news:d13fbu$2bc$1...@lust.ihug.co.nz...

R. Rajesh Jeba Anbiah

unread,
Mar 14, 2005, 4:38:20 AM3/14/05
to
Nicholas Sherlock <n_she...@hotmail.com> wrote in message news:<d13fbu$2bc$1...@lust.ihug.co.nz>...
<snip>

> Hm.. I'm currently running things so that when the user logs in, I store
> the user's ID as a session variable, then check that ID in every page to
> see if the user is logged on, and who it is. Are there any problems with
> this scheme?

Such system allows multiple logins, though both systems allow
session hijacking (if without IP/user agent checking)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Chung Leong

unread,
Mar 14, 2005, 1:08:00 PM3/14/05
to
"R. Rajesh Jeba Anbiah" <ng4rrj...@rediffmail.com> wrote in message
news:1110738982....@g14g2000cwa.googlegroups.com...

> Q: How to implement a login system?
> A: Use sessions. When the user logins, store the session id in the
> database and then compare the current session id with the one stored in
> the database on every page. May also check IP; but it may break if the
> user is behind proxy.

A rather large topic to cover. A link to a tutorial might be more suitable
here.

The issue of multiple login under the same user should be dealt with
separately, I think.


R. Rajesh Jeba Anbiah

unread,
Mar 14, 2005, 9:59:20 PM3/14/05
to
Chung Leong wrote:
> > Q: How to implement a login system?
> > A: Use sessions. When the user logins, store the session id in the
> > database and then compare the current session id with the one
stored in
> > the database on every page. May also check IP; but it may break if
the
> > user is behind proxy.
>
> A rather large topic to cover. A link to a tutorial might be more
suitable
> here.

I'm not sure, if the links I added isn't enough.

> The issue of multiple login under the same user should be dealt with
> separately, I think.

So, please fix it and post revised contents.

R. Rajesh Jeba Anbiah

unread,
Mar 16, 2005, 11:50:55 AM3/16/05
to
Q: How to implement a login system?
A: Login/authentication system can be implemented in many ways:
1. Basic login system:
When the user logins, set a cookie or session variable and expect
that variable in every pages.
2. Sessions based login:
a. When the user logins, store the session id in the database and

then compare the current session id with the one stored in the database
on every page.
b. Check logged in user's IP on every page.
c. Check logged in user's browser on every page. May use the user
agent string ($_SERVER['HTTP_USER_AGENT']) or hash of it.

Caveats:
(1) will definitely allow multiple logins and may allow session
hijacking.
(2a) alone may allow session hijacking.
(2b) may break if the user is behind proxy.
(2b)&(2c) If session alone (without storing in database) is used as a
storage, it may break.
(1), (2a), (2c with database) may provide enough security.

+++++
@revision 2 Fixed answer for clarity. See Chung's comment


@todo Info about other authentications, better link to the login

implementation (above links use obsolete PHP style)

Reply all
Reply to author
Forward
0 new messages