https://www.webmaster-forums.net/crss/node/1025109 en https://www.webmaster-forums.net/serverside-scripting/login-scripts-opinions-please#comment-1153413 <p>oh ya: if you don't want people that aren't logged in to view the page at all use this:</p> <p><div class="codeblock"><code><span style="color: #000000"><span style="color: #0000BB">&lt;?php<br />header</span><span style="color: #007700">(\</span><span style="color: #DD0000">"Location: yourloginpage.php\");<br />?&gt;</span></span></code></div></p> <p>That will redirect them to the login page!</p> Fri, 18 Jun 2004 22:27:12 +0000 ShawnK comment 1153413 at https://www.webmaster-forums.net https://www.webmaster-forums.net/serverside-scripting/login-scripts-opinions-please#comment-1153412 <p>The best way to do this would be SSL. But, since you probaly don't have and cannot afford you should take a few precautions:</p> <p>1) <strong>ALWAYS</strong> ENCRYPT PASSWORDS! The only password that should not be encrypted is the one that comes straight from the password text box that the user types.</p> <p>2) <strong>NEVER</strong> store passwords inside of sessions!</p> <p>Besides that, the safest way to acomplish this is to use 2 tables for your script.</p> <p>the 1st would be yourdb.USERS:</p> <p>id | username | md5pass | first | last | email</p> <p>the 2nd would be yourdb.SESSION:</p> <p>username | login_time | sessid</p> <p>Now what you do is when a user logs in you create a random alphanumeric string and store it in sessid. Then store it in the second table along with the user that logged in and the time they logged in at.</p> <p><strong>NOTE</strong>: you repeat the above EVERYTIME they log in</p> <p>Then, store in your $_SESSION - the username and session id. You can also implode all the other data like email,first, and last in one string called profile.</p> <p>And in your header file check to make sure that username is set in the session and if it is test to make sure that login_time is before the current time, then check the sessionid. If all return true. Then they're good if not they shouldn't be allowed to view the page.</p> <p>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-<br /> if you have a site that all people can view and you have components or modules or blocks that only logged in people can see, then instead of blocking the user from viewing the page in your header file just make a variable $loggedin and make is "true" and then for all your compnents test to see if logged in is true and if so show the component and ELSE don't show.</p> <p>I hope I helped you and I didn't confuse you.</p> Fri, 18 Jun 2004 22:25:53 +0000 ShawnK comment 1153412 at https://www.webmaster-forums.net https://www.webmaster-forums.net/serverside-scripting/login-scripts-opinions-please#comment-1152909 <p>It sounds like you're on your way. I believe the most secure access involves the session id encrypted in a cookie, and saved to a database. Then each page would read the cookie, check the database, and proceed accordingly (i.e. sorry, session timed out, sorry, you're not logged in, sorry, you're a evil script kiddie, shoo...)</p> Fri, 11 Jun 2004 02:48:03 +0000 Suzanne comment 1152909 at https://www.webmaster-forums.net