Thread: authorization

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 1999
    Posts
    7
    Rep Power
    0
    I'm tryin to figure out a way, how to make sure a user logged in, over a web form. I have a subdir "users" that should only be accessed when the user logged in using a form. I heard cookies wouldn't be a good choice and someone told me about "php auth", but i didn't find anything about that in the docs.

    I appreciate any help.


    Till
  2. #2
  3. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Cookies are fine if the user doesn't have them disabled.

    All you need to do is create a session identifier that can be passed from page to page, via POST, GET or cookie. Using md5() hashes is about as secure as you can get. When you process the login, you can create a unique session id by using this:

    $session=md5(uniqid($uname));

    where $uname is the users name. Store this info along with the users id, name or whatever and a timestamp in a table or flat file. Pass $session from page to page and at the top of each page verify that $session is valid in the table and that the current time is not too long since the timestamp was updated. If it is you can have them log in again. If not, update the timestamp to the current time and display the page.

    Often, for added security, you can use the IP address of the visitor to make sure no one is using the same current session id. Beware, people connecting via proxies can have IPs that change between page views, however, it is unlikely that the IP will change outside of the lowest level (e.g. in the IP 111.222.33.44, 111.222.33 should remain constant). So you could check only those portions of the IP.
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Location
    Culver City, Ca
    Posts
    6
    Rep Power
    0
    I have no problem using MD5. What I need is to encode a url with a shared secret key using HMAC-MD5 security algorithms. I can't find any information about this using PHP. I tried:

    $signature = md5("$urltosign $sharedkey");

    This routine does return a value for signature that looks right but the server won't accept it as valid. I have C++ code that will do this and have seen perl scripts too but I want to stay open-source. Is there anything I can do? Is there a <javascript> way to do this?

  6. #4
  7. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    I believe that functionality will be in PHP4.
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Location
    Bremen
    Posts
    11
    Rep Power
    0
    Hmmm if u want your users to use a portal page this is a nice sollutions otherwise use the basic authorisation from apache or better PHP for it ang check for the $PHP_AUTH_USER ... if set your user has provided a password for the page But be aware for a bug in the IE5 that allows it to workaround the basic authorisation of a page if a user once logged in on the same machine ... just in case u have sensible data on it ...

IMN logo majestic logo threadwatch logo seochat tools logo