Re: Log-in script help

[Tom <tom@xxxxxxxxxxxxxxxxxxxxx>]

Joe Harman wrote:

> Hey Andrew... 
>
> IN MY OPINION... forget the cookies... only use php sessions... but
> like I said IMO.... you can never rely on the end user having them
> cookies enabled... same with things like javascript...
>
> let me outline some steps for you... everyone else... feel free to
> state pros and cons to theses.. cause i always make mistakes, or
> forget things :o)
>
> 1. get the user's access info... ie username & password
>
> 2. look for the user in the database that stores the access infro
>
> 3. if access is granted, I usually set 2 session variables
>      a. $_SESSION['auth'] = TRUE      // They are authorized
>      b. $_SESSION['user_id'] = {who}  // Who is it
>      a. $_SESSION['user_level'] = {level} // What level access do
> they have (optional)
>
> 4. at the beginning of each restricted access page, verify that they
> are authorized to access that page... if they are not redirect them to
> a access denied page.
>
>
> that should get you started... maybe the second step would be to make
> this stuff into functions... ... also, IMO.. it's a good idea to make
> a logout script that will distroy that user's active session...
my turn for an IMO :) - my preference is to have a check on the function 
that writes the $_SESSION vars or the cookie (I generally use encrypted 
cookies which are in turn restricted to certain areas of the site). This 
check is on the referer - if it's not from a foreign URL, then write 
them new as if the user is non auth. This stops people on public 
machines from hitting a back button and being authenticated as the 
previous user.
Tom

> not
> sure what your PHP experience is... but hopefully the above steps will
> help you out some..
>
> Cheers!
> Joe
>
>
>
>
>
> On 25 Jan 2005 17:35:08 -0600, Bret Hughes <bhughes@xxxxxxxxxxxxx> wrote:
>  
>
> > On Tue, 2005-01-25 at 16:45, AceZero2790@xxxxxxx wrote:
> >    
> >
> > > Hey,
> > >       I need a particular type log in script. I'm not sure how to do it or
> > > where I could find a tutorial that would help me, so I'll describe what I need
> > > and then maybe someone could tell me what kind of script I need (sessions or
> > > whatever) and where I could get the script/learn how to make it.
> > >       I need a pretty basic log in script. Something that people log in to,
> > > and the page and all linked/related pages cannot be accessed unless the person
> > > has logged in.
> > >       So what do I need for this? Cookies, sessions both? And where can I
> > > learn how?
> > >
> > > -Andrew
> > >      
> > I use the pear auth package and like it alot.  I know I did some
> > modification for our purposes but I suspect it works out of the box.
> >
> > All you do is include auth.php on all pages you want to protect and it
> > will direct you to a login page if you have not logged in.  Pretty cool
> > stuff.
> >
> > http://pear.php.net/package/Auth
> > HTH
> >
> > Bret
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >    
>
>  

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php