authorization

I'm tryin to figure out a way, how to make sure a user logged in, over a web form. I have a subdir "users" that should only be accessed when the user logged in using a form. I heard cookies wouldn't be a good choice and someone told me about "php auth", but i didn't find anything about that in the docs.

I appreciate any help.


Till

Cookies are fine if the user doesn't have them disabled.

All you need to do is create a session identifier that can be passed from page to page, via POST, GET or cookie. Using md5() hashes is about as secure as you can get. When you process the login, you can create a unique session id by using this:

$session=md5(uniqid($uname));

where $uname is the users name. Store this info along with the users id, name or whatever and a timestamp in a table or flat file. Pass $session from page to page and at the top of each page verify that $session is valid in the table and that the current time is not too long since the timestamp was updated. If it is you can have them log in again. If not, update the timestamp to the current time and display the page.

Often, for added security, you can use the IP address of the visitor to make sure no one is using the same current session id. Beware, people connecting via proxies can have IPs that change between page views, however, it is unlikely that the IP will change outside of the lowest level (e.g. in the IP 111.222.33.44, 111.222.33 should remain constant). So you could check only those portions of the IP.

I have no problem using MD5. What I need is to encode a url with a shared secret key using HMAC-MD5 security algorithms. I can't find any information about this using PHP. I tried:

$signature = md5("$urltosign $sharedkey");

This routine does return a value for signature that looks right but the server won't accept it as valid. I have C++ code that will do this and have seen perl scripts too but I want to stay open-source. Is there anything I can do? Is there a <javascript> way to do this?

I believe that functionality will be in PHP4.

Hmmm if u want your users to use a portal page this is a nice sollutions otherwise use the basic authorisation from apache or better PHP for it ang check for the $PHP_AUTH_USER ... if set your user has provided a password for the page But be aware for a bug in the IE5 that allows it to workaround the basic authorisation of a page if a user once logged in on the same machine ... just in case u have sensible data on it ...