Site Protection Question.-

A

Anonymous

Guest
Hey All,
Im trying to find out the best way to protect the members area of a site with the use of cookies. Till this date i found the following code below the best way to protect with. This is an example of something similar i use. Please if you find a better way to do so please get back to me.

Code:
<?

/* THIS IS USED TO ENCODE THE PASSWORD WHEN SETTING THE COOKIE */
function pw_encode($password)
{
	$seed = "";
   	for ($i = 1; $i <= 8; $i++)
	$seed .= substr('0123456789abcdef', rand(0,15), 1);
	return md5($seed.$password).$seed;
}


/* THIS IS USED TO DECODE THE CHECK IF THE PASSWORD FROM THE MYSQL DATABASE EQUALS THE ENCODED PASSWORD */
function pw_check($password,$stored_value)
{
	$stored_seed = substr($stored_value,32,8);
   	if (md5($stored_seed.$password).$stored_seed == $stored_value)
     	return "1";
   	else
     	return "2";
}

        /* PULL OUT THE USERNAME FROM THE DATABASE WITH THE COOKIE */
        $a = mysql_query("SELECT `user` FROM `user` WHERE `user` = '$_COOKIE[USERNAME]'");
	$b = mysql_fetch_array($a);
	
        /* CHECK WITH THE FUNCTION CREATED IF USERNAME FROM DATABASE EQUALS ENCODED COOKIE USERNAME */
	if (pw_check($b['user'],$_COOKIE[USERNAME]) == '2')
	{
		echo "FAIL THE USERNAME IS INCORRECT";
                exit;
	}	
?>

Thanks in advance if you have any ideas..
 
first of all: cookies are not the best way... the best way would be database-managed sessions that are possible to delete by a simple click of the button in admin and it will result in kicking a user from the members area..

as you know, cookies are not always allowed by users and its best not to use those... try using database stored and managed sessions and only one small thing in $_SESSIONS -- Session id that is stored in DB... take also a good look at phpBB sessions.php file and you may want to implement something like that as well
 
aight good to know, thanks for info man.. ill check it out.
 
Back
Top