1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2001
    Rep Power

    Which log-in / auth method to use?

    This is a general question, not related to a particular lang. or database system.

    I want to have "members only" sections on my site. This means they log-in.

    Now how do I go about this? There is my idea for now:

    - User creates account, if he wan't to be logged-in permanently, a permanent cookie is stored on the client's computer with username and password only. (maybe do a basic encrypt on password?)

    - User gets a request to log-in, where he enters username+password, or the script read directly username and password from the cookie.

    - The script checks the values against the users table of the database. If everything is ok, then

    - The script creates an MD5 digest with the username, password and IP adress (or whatever combinaison) and writes to a table called "browsing" the following information: User name, user access level, user IP adress, login date/time, last page view date/time and the MD5.

    - The same MD5 is written in a temp cookie that gets deleted at the end of the browser session, or the MD5 is passed thru the script pages by an hidden field or directly in the url.

    - When a user browses, it reads the MD5 from cookie or form and compares to the browsing table to check if the user is logged and have right permission to view page.

    - The browsing table gets cleaned every, let's say, 15 minutes by a crontab that removes any row where the last page view is more than 15 minutes away. So if a user is static for more than 15 minutes, he'll have to re-login or if the cookie is set the script will re-log him automatically.

    Is this approach good?

    Do you see any security risk using this method?

    Would you improve it? and how?

    Would it put a lot of load on the DB? Is there a better way?

    Any feedback appreciated.


  2. #2
  3. phpkid ~~~~~~ :o)
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Nov 2000
    NJ, USA
    Rep Power
    I think you can give a look to phpSecurepages

    d.k.jariwala (JD)
    ~ simple thought, simple act ~
    I blog @ http://jdk.phpkid.org

IMN logo majestic logo threadwatch logo seochat tools logo