HomeBuilding Your WebsiteWeb Programming and Application Development

Login Scripts, opinions please

Greg K posted this at 00:54 — 11th June 2004.

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

Hello, I have spent the past couple of hours looking over tutorials for PHP login scripts, while all seem like they work OK, I am wondering about holes or better methods. So far I'm concentrating on the one at http://www.evolt.org/article/PHP_Login_Script_with_Remember_Me_Feature/17/60265/ as a base to work from.

I am going to go through and read all the "comments" on it as soon as I get home.

Here is basically what I am looking for, so if anyone can offer a better *tested and used* script or improvements on this one, please let me know.

The site I need to secure will be accessed 100% on a SSL server, and if in the first two months it goes as well as we are hoping, it will be moved over to it's own dedicated server at our hosting provider. So I'm not too worried about the issues of someone having shell access to hijack the session info or securing the data going from the scripts into the database. This will be a pay service, and will have clients entering info such as employee names and pay (names I will most likely encrypt to the database before going live).

I have seen some "secure" scripts that use IP logging, however, my own experience says this is not advisable, as I have seen our IP address here from DSL change every 15 minutes or so...

I would like a good "Remember login" option. I have seen back and forth discussion on security of putting the hashed password in the cookie. Another tutorial says to have a COOKIE field in the database and set that value in the cookie. (I didn't see it, but I'm guessing if I did this way, I would need to make sure that field is UNIQUE and probably indexed?)

I already have code in place that checks for valid "calling" pages, so you cannot just bookmark an internal page. I would still like the script to always check for login status, if not logged in, give them login page and when logged in a link back to the page they tried to get to.

Anything anyone else can suggest to look for, I would greatly appreciate it.

Thank you for your time.

-Greg

PS. I should mention the specs of the server:
FreeBSD 4.6-Stable
Apache 1.something (just know it's not Apache 2)
mySQL
PHP 4.2.2
I don't use PEAR, prefer coding all by hand, however can be used.

Suzanne posted this at 02:48 — 11th June 2004.

Suzanne's picture

She has: 5,507 posts

Joined: Feb 2000

It sounds like you're on your way. I believe the most secure access involves the session id encrypted in a cookie, and saved to a database. Then each page would read the cookie, check the database, and proceed accordingly (i.e. sorry, session timed out, sorry, you're not logged in, sorry, you're a evil script kiddie, shoo...)

ShawnK posted this at 22:25 — 18th June 2004.

He has: 19 posts

Joined: Jun 2004

The best way to do this would be SSL. But, since you probaly don't have and cannot afford you should take a few precautions:

1) ALWAYS ENCRYPT PASSWORDS! The only password that should not be encrypted is the one that comes straight from the password text box that the user types.

2) NEVER store passwords inside of sessions!

Besides that, the safest way to acomplish this is to use 2 tables for your script.

the 1st would be yourdb.USERS:

id | username | md5pass | first | last | email

the 2nd would be yourdb.SESSION:

username | login_time | sessid

Now what you do is when a user logs in you create a random alphanumeric string and store it in sessid. Then store it in the second table along with the user that logged in and the time they logged in at.

NOTE: you repeat the above EVERYTIME they log in

Then, store in your $_SESSION - the username and session id. You can also implode all the other data like email,first, and last in one string called profile.

And in your header file check to make sure that username is set in the session and if it is test to make sure that login_time is before the current time, then check the sessionid. If all return true. Then they're good if not they shouldn't be allowed to view the page.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
if you have a site that all people can view and you have components or modules or blocks that only logged in people can see, then instead of blocking the user from viewing the page in your header file just make a variable $loggedin and make is "true" and then for all your compnents test to see if logged in is true and if so show the component and ELSE don't show.

I hope I helped you and I didn't confuse you.

If you need any PHP programming don't hesitate to shoot me an email or PM me here at Webmaster-Forums!

[EMAIL] [PM]

ShawnK posted this at 22:27 — 18th June 2004.

He has: 19 posts

Joined: Jun 2004

oh ya: if you don't want people that aren't logged in to view the page at all use this:

<?php
header(\"Location: yourloginpage.php\");
?>

That will redirect them to the login page!

If you need any PHP programming don't hesitate to shoot me an email or PM me here at Webmaster-Forums!

[EMAIL] [PM]

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.