Re: Safe / Secure Login Script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry, I always forget to reply all...
Original message bellow...

-----Original Message-----
From: Gavin Amm 
Sent: Tuesday, 5 October 2004 3:55 PM
Subject: RE:  Safe / Secure Login Script


1. Personal preference, but you may find sessions a better option (does
not store user data (like passwords) on workstation) -
http://au2.php.net/manual/en/ref.session.php

2. In MySQL you can use the BINARY keyword to tighten the password
string comparison.

3. In addition, if you're not already using one, you could use an SSL
connection to further tighten security & prevent passwords from being
transmitted in clear text.

Cheers,
Gav


-----Original Message-----
From: Wendell Frohwein [mailto:wendell@xxxxxxxxxxxx] 
Sent: Monday, 4 October 2004 6:11 AM
To: php-db@xxxxxxxxxxxxx
Subject:  Safe / Secure Login Script


I have been writing php code for about 2 years now. I have a login
script that I have written for my clients. I just would like to know if
there is a better / safer way of logging people into websites. This is
my current method.
 
1.)     Username and Password are entered in an html / php form using
field names user, pass and submit button named do_login.
2.)     Form is submitted to the same page (PHP_SELF).
3.)     Login script is triggered by $_POST["do_login"].
4.)     Form is validated to make sure the fields "user" and "pass" are
not empty.
5.)     Password is then encrypted using base64_encode()
6.)     MySql Select Statement To find $_POST["user"].
7.)     If found, Verify that $result["pass"] ===
base64_encode($_POST["pass"]).
8.)     If No username is found, Message is sent to end user stating
username does not exist.
9.)     If $result["pass"] === base64_encode($_POST["pass"]) send user
to a page called wait.php
10.) At wait.php, a cookie is set containing the user id, user name, and
encrypted pass.
11.) Wait.php contains a (<meta http-equiv="refresh"
content="5;URL=/<?echo($dir);?>/welcome.php">) meta tag which directs
user to directory
12.) Inside $dir, there is a script called validate.php which is
included inside header.php. So the script actions of validate.php tag
along with every page.
13.) This functions makes sure you have a cookie set with the names
"user_id", "user_name", "user_pass".
14.) It then validates this information though mysql.
15.) If the information is sound, user is allowed to browse that page
and or do whatever they are supposed to be doing in that directory.
16.) If the information is not sound, user is redirected to the home
page using header("Location http://some_domain/some_file.php";);



This works great for me, but I want to perfect it. If anyone out there
knows any better way to login, validate a user and so on. Please let me
know
 
 
Thanks a lot people.
 
 
-Wendell Frohwein

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux