I have been writing php code for about 2 years now. I have a login
script that I have written for my clients. I just would like to know if
there is a better / safer way of logging people into websites. This is
my current method.
1.) Username and Password are entered in an html / php form using
field names user, pass and submit button named do_login.
2.) Form is submitted to the same page (PHP_SELF).
3.) Login script is triggered by $_POST["do_login"].
4.) Form is validated to make sure the fields "user" and "pass" are
not empty.
5.) Password is then encrypted using base64_encode()
6.) MySql Select Statement To find $_POST["user"].
7.) If found, Verify that $result["pass"] ===
base64_encode($_POST["pass"]).
8.) If No username is found, Message is sent to end user stating
username does not exist.
9.) If $result["pass"] === base64_encode($_POST["pass"]) send user
to a page called wait.php
10.) At wait.php, a cookie is set containing the user id, user name, and
encrypted pass.
11.) Wait.php contains a (<meta http-equiv="refresh"
content="5;URL=/<?echo($dir);?>/welcome.php">) meta tag which directs
user to directory
12.) Inside $dir, there is a script called validate.php which is
included inside header.php. So the script actions of validate.php tag
along with every page.
13.) This functions makes sure you have a cookie set with the names
"user_id", "user_name", "user_pass".
14.) It then validates this information though mysql.
15.) If the information is sound, user is allowed to browse that page
and or do whatever they are supposed to be doing in that directory.
16.) If the information is not sound, user is redirected to the home
page using header("Location http://some_domain/some_file.php";);
This works great for me, but I want to perfect it. If anyone out there
knows any better way to login, validate a user and so on. Please let me
know
Thanks a lot people.
-Wendell Frohwein
