On Mon, 2003-04-14 at 14:07, Jonathan Villa wrote:
> Is there anything wrong with using this method for authentication to
> login into an application then to make sure that only the user that is
> logged in able to use/see the application.
>
> 1. after submitting the form, the username and password are used to
> query the database, and if that combination is found, I do the following
>
> $_SESSION['current_user'] = sessionid();
> header("admin/main.php");
This should be:
header( "Location: admin/main.php" );
>
> I have a header.php file which is included in every page, and the code
> on this page is the HTML header for my application (navigation, images,
> etc.) but more important right now is <a href="<? $_SERVER['PHP_SELF']
> ?>?logout=logout">Logout</a>
>
> Then in header.php, I include another file called verify_session.php
> which has the following code
>
> if ($_SESSION['current_user'] != sessionid())
> header("login/login.php");
> if ($_REQUEST['logout'] == "logout")
> {
> $_SESSION['current_user'] = NULL;
> header("login/login.php");
> }
>
> here is a semi complete example
>
> <?
> include_once("header.php");
> ?>
>
> some page content
>
> <?
> include_once("footer.php");
> ?>
>
> And in header.php I have
>
> <?
> include_once("access/verify_session.php");
> ?>
> <html>
> <head>
> <title>Title of my page</title>
> </head>
>
> <body>
> <table>
> <tr>
> etc, etc, etc....
>
> So in summary, is there anything wrong with this logic? Can it be
> easily hacked? Is it best practice?
>
> I have used it in many applications and it works perfectly, however, it
> has come into question (despite the fact that it has not failed). My
> usernames are stored in the db as plain text and the passwords as md5.
>
> Any advice would be greatly appreciated.
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
