You should definately not set a cooking containing the encrypted
password, anyone that's able to grab that cookie can set to work brute
forcing the password.
On Sun, 3 Oct 2004 13:11:00 -0700, Wendell Frohwein
<wendell@xxxxxxxxxxxx> wrote:
> I have been writing php code for about 2 years now. I have a login
> script that I have written for my clients. I just would like to know if
> there is a better / safer way of logging people into websites. This is
> my current method.
>
> 1.) Username and Password are entered in an html / php form using
> field names user, pass and submit button named do_login.
> 2.) Form is submitted to the same page (PHP_SELF).
> 3.) Login script is triggered by $_POST["do_login"].
> 4.) Form is validated to make sure the fields "user" and "pass" are
> not empty.
> 5.) Password is then encrypted using base64_encode()
> 6.) MySql Select Statement To find $_POST["user"].
> 7.) If found, Verify that $result["pass"] ===
> base64_encode($_POST["pass"]).
> 8.) If No username is found, Message is sent to end user stating
> username does not exist.
> 9.) If $result["pass"] === base64_encode($_POST["pass"]) send user
> to a page called wait.php
> 10.) At wait.php, a cookie is set containing the user id, user name, and
> encrypted pass.
> 11.) Wait.php contains a (<meta http-equiv="refresh"
> content="5;URL=/<?echo($dir);?>/welcome.php">) meta tag which directs
> user to directory
> 12.) Inside $dir, there is a script called validate.php which is
> included inside header.php. So the script actions of validate.php tag
> along with every page.
> 13.) This functions makes sure you have a cookie set with the names
> "user_id", "user_name", "user_pass".
> 14.) It then validates this information though mysql.
> 15.) If the information is sound, user is allowed to browse that page
> and or do whatever they are supposed to be doing in that directory.
> 16.) If the information is not sound, user is redirected to the home
> page using header("Location http://some_domain/some_file.php";);
>
> This works great for me, but I want to perfect it. If anyone out there
> knows any better way to login, validate a user and so on. Please let me
> know
>
> Thanks a lot people.
>
>
> -Wendell Frohwein
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
