Sorry, I always forget to reply all... Original message bellow... -----Original Message----- From: Gavin Amm Sent: Tuesday, 5 October 2004 3:55 PM Subject: RE: Safe / Secure Login Script 1. Personal preference, but you may find sessions a better option (does not store user data (like passwords) on workstation) - http://au2.php.net/manual/en/ref.session.php 2. In MySQL you can use the BINARY keyword to tighten the password string comparison. 3. In addition, if you're not already using one, you could use an SSL connection to further tighten security & prevent passwords from being transmitted in clear text. Cheers, Gav -----Original Message----- From: Wendell Frohwein [mailto:wendell@xxxxxxxxxxxx] Sent: Monday, 4 October 2004 6:11 AM To: php-db@xxxxxxxxxxxxx Subject: Safe / Secure Login Script I have been writing php code for about 2 years now. I have a login script that I have written for my clients. I just would like to know if there is a better / safer way of logging people into websites. This is my current method. 1.) Username and Password are entered in an html / php form using field names user, pass and submit button named do_login. 2.) Form is submitted to the same page (PHP_SELF). 3.) Login script is triggered by $_POST["do_login"]. 4.) Form is validated to make sure the fields "user" and "pass" are not empty. 5.) Password is then encrypted using base64_encode() 6.) MySql Select Statement To find $_POST["user"]. 7.) If found, Verify that $result["pass"] === base64_encode($_POST["pass"]). 8.) If No username is found, Message is sent to end user stating username does not exist. 9.) If $result["pass"] === base64_encode($_POST["pass"]) send user to a page called wait.php 10.) At wait.php, a cookie is set containing the user id, user name, and encrypted pass. 11.) Wait.php contains a (<meta http-equiv="refresh" content="5;URL=/<?echo($dir);?>/welcome.php">) meta tag which directs user to directory 12.) Inside $dir, there is a script called validate.php which is included inside header.php. So the script actions of validate.php tag along with every page. 13.) This functions makes sure you have a cookie set with the names "user_id", "user_name", "user_pass". 14.) It then validates this information though mysql. 15.) If the information is sound, user is allowed to browse that page and or do whatever they are supposed to be doing in that directory. 16.) If the information is not sound, user is redirected to the home page using header("Location http://some_domain/some_file.php"); This works great for me, but I want to perfect it. If anyone out there knows any better way to login, validate a user and so on. Please let me know Thanks a lot people. -Wendell Frohwein -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php