Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Secure member login

0 views
Skip to first unread message

Tony Thomas

unread,
Oct 8, 2002, 12:50:19 PM10/8/02
to
I'm relatively new to PHP and MySQL. I'm creating a web site run with
PHP and MySQL where the client will be able to log in and alter the
content on their own. The only issue I have is making sure the login
process is secure so no one can get in and update content except the
client.

I have all password information in a secure location. (Outside the www
folder.) I've been reading about user sessions, but there seems to be
some concern that this alone is not that secure. What I haven't found is
reccomendations on what combination of things I should use to make the
login process more secure.

The site will be on a shared server that I do not own, so I'm relying on
the third party to handle the Apache related security issues. I want to
know what I should be using with PHP to make sure it's as difficult as
possible for an unauthorized user to login and access the MySQL data.

Any suggestions? Links?

Thanks,

Tony

kanarip

unread,
Oct 8, 2002, 6:35:24 PM10/8/02
to
I would use the WWW-Authenticate header:

header("WWW-Authenticate: Basic realm=\"Homepage Users\"");

Try and test if the user has allready authed once (in this session)

function http_auth()
{
header("WWW-Authenticate: Basic realm=\"Homepage Users\"");
header("HTTP/1.1 401 Unauthorized");
access_denied();
}
if( (empty($user)) || (empty($pwd)) ) {
if(!isset($PHP_AUTH_USER)) {
http_auth();
} else {
$pwd = $PHP_AUTH_PW;
$user = $PHP_AUTH_USER;
connect_db();
$result = mysql_query("SELECT id,name,password FROM members WHERE name =
'$user' AND password = PASSWORD('$pwd')");
if($row = mysql_fetch_array($result))
{
//
//
// Do all the things you need...
//
//
} else {
access_denied();
}
}
}
function access_denied() {
print("
//
// Some "You didn't log in properly message"
//
");
}

Every time someone would come back to this page, it would look is the user
is authed... I use this in an index.php, and call to it like
index.php?admin=members&action=edit&member=23059

kanarip.
--
http://www.kanarip.com


Rob Hanssen

unread,
Oct 10, 2002, 3:20:13 AM10/10/02
to

"Tony Thomas" <to...@truetone.org> wrote in message
news:tony-AFD725.1...@news.uswest.net...

> I'm relatively new to PHP and MySQL. I'm creating a web site run with
> PHP and MySQL where the client will be able to log in and alter the
> content on their own. The only issue I have is making sure the login
> process is secure so no one can get in and update content except the
> client.
>
> Any suggestions? Links?

For my own site I wrote the following script with an authentification object
(see http://www.catalysis.nl/~rob/Auth.phps). All you need to do, is add

$auth = new Auth($pagelevel);

at the top of the script and secure your database transactions with

if ($auth->isPermitted($pagelevel)) yadayada.etc.

You should have a database with the following structure to use it properly.
Please mind that authorizationlevels increase with decreasing numbers (ADMIN
= 1, VIEW = 99).

CREATE TABLE users (
userid varchar(255) NOT NULL default '',
username varchar(255) default NULL,
password varchar(255) default NULL,
permission int(2) default NULL,
PRIMARY KEY (userid)
)

One of the security problems with this script I know on a shared server, is
the manipulation of session files by another user, but a reliable hosting
company should have secured this problem on their servers. A solution for
that is storing your session data in the database. You would have to rewrite
some functions for that.

Hope this helps,
Rob.


0 new messages