User Auth

[Anonymous]

Easiest way is to develop a small script to check the password, and 'include' it at the beginning of every page. Regardless what page is accessed, the script will be run and should only do something if there's a problem. If you're using Apache you can also use it to invoke a password feature, an example and explanation is here

 

[Anonymous]

Use the Super Global Arrays to prevent him using the cookie value in the url. On the first access, (when the session is started) validate the cookie with your online database or something, so the session is validated. Then you don't need the cookie!

 

[Anonymous]

For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

 

[Anonymous]

first make a "normal" page with a form to get username and password (use type=password for password field).
when form is posted:

if (verify_logon($_POST['username'], $_POST['password']);
{
   $username = $_POST['username'];
   $password = $_POST['password'];
    session_register($username, $password);
    print('login succesfull');
}
else
{
   print('Login failed');
}

now you can acces the username and password on each following page.
remember to use $_SESSION['username'] and $_SESSION['password'] and you have to use session_start()
also keep in mind that those variables are not set initially (before login).

this is a semi-copy from my code, verify_login checks if username and password are correct and returns a boolean.

I think you can fill in the rest of the gaps.

Greetz Daan

 

[Anonymous]

For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

You realise that's more or less exactly what I said :wink:

 

[Anonymous]

You realise that's more or less exactly what I said :wink:

yep :lol:

 

[Anonymous]

Hey guys.

I'm new to this login and security stuff, but I want to learn..
this all looks verry interesting. could someone help me out with a sample code for the session thing?
do I need to store anything else in the database than password and username?

thanks

 

[Anonymous]

hehe...
so I guess there's not a lot of action here...

 

[Anonymous]

here's a good tutorial that might help

http://www.devshed.com/Server_Side/PHP/UserAuth/page1.html

 

[Anonymous]

thanks alot for that.. I think I'm on my way now..

I'm trying to do something like the one in that link you gave me but I'm having trouble with links...

in the code on that page there's a logout funktion. it's just a link to a logout php page but the link don't work...
the link is <a href="/index.php>Goodbye</a> but the browser tries to get http://localhost/public/admin/inner.sanctum.php/index.php

why does it automaticly add the current page adress in front of the link adress?

 

[Anonymous]

you do not have an ending " after /index.php

 

[Anonymous]

sorry.. that was just a typo here. I have a closing " in the code..

 

[Anonymous]

try using the FULL url

 

[Anonymous]

tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

 

[Anonymous]

tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

destroy

 

[Anonymous]

is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

 

[Anonymous]

is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

You mean that you want protect youre site?