The basic model for password authentication is to use one way crypt
routines. MySql has several, PHP also has them. The basic algorithm
would be like this:
1) read the password from the form.
2) read the password from you datastore that matches the user name or
session
3) encrypt the password on the form.
4) do a string comparison between the database data and the encrypted
password from the form.
This is of course assumes that you have been encrypting your password
when you store them (always good practice) so I think this translates to
php as (forgive me if this is bogus, it's been a while since I've done
any php)
<?
$salt = 'someglobalsaltstring'; # the salt should be the same salt used
when storing passwords to your database otherwise it won't work
$passwd = crypt($_GET['passwd'], $salt);
if ($passwd == $userObject->getPassword) { return 1} else {return 0}
?>
So I've not tested this obviously but you would have to have a
$userObject which is your interface between your software and your user
data.
Hope it helps,
Carl.
PJ wrote:
> PJ wrote:
>
>> Jason Carson wrote:
>>
>>
>>>> On Mon, Jul 6, 2009 at 02:19, Jason Carson<jason@xxxxxxxxxxxxxx> wrote:
>>>>
>>>>
>>>>
>>>>> ok, I have two sets of scripts here. One uses setcookie() for logging
>>>>> into
>>>>> the admin panel and the other uses session_start(). Both are working
>>>>> fine,
>>>>> is one more secure than the other?
>>>>>
>>>>>
>>>>>
>>>> $_COOKIE data is written to a file that is readable/writeable and
>>>> stored on the user's side of things. $_SESSION data is written to the
>>>> server, with a cookie stored on the user's side containing just the
>>>> PHPSESSID (session ID) string to identify the session file on the
>>>> server.
>>>>
>>>> So determining which is better and/or more secure is really a
>>>> matter of the data held there and how it's handled. If storing things
>>>> like usernames or you absolutely want to store personal data in an
>>>> active session, do so in $_SESSION. If you're storing a password or
>>>> credit card number in the active session, you may as well do it in
>>>> $_COOKIE, because you're already using an insecure model. ;-P
>>>>
>>>> --
>>>> </Daniel P. Brown>
>>>> daniel.brown@xxxxxxxxxxxx || danbrown@xxxxxxx
>>>> http://www.parasane.net/ || http://www.pilotpig.net/
>>>> Check out our great hosting and dedicated server deals at
>>>> http://twitter.com/pilotpig
>>>>
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>>>
>>>>
>>>>
>>> Well I'm a newbie when it comes to PHP and programming. I guess I need to
>>> read up on login security. Do you know of, or recommend, any websites that
>>> will show me how to secure my login model (Using cookies or sessions).
>>>
>>>
>>>
>>>
>> Hi Jason,
>> I'm probably not any wiser than you, but I have just (today) discovered
>> an interesting site that seems to have some really clear explanations
>> and tutorials re php, MySsql et al.
>> It's worth looking at (I'm trying to implement something like what you
>> are, as well):
>> http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html
>> HTH,
>> PJ
>>
>>
>>
> I just found another site which is easier to deal with (chapter
> references) and seems to be the original source of the brainbell site:
> http://home.bolink.org/ebooks/webP/webdb/index.htm
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
