Php login choices and questions.

php login system questions.

I did a search for login posts on here and found some but so far didn't see any that answered my questions so thanks for the help.


Hi guys, I'm developing a user login system for my site and although I think I understand how to do this correctly checking against a database or in my case a text file which stores the usernames and passwords (hashed) and using using php sessions to hold the validated users state across different pages, I am not exactly sure about a couple of things.


I am thinking of two different ways to do this and I am not sure which is more correct or more 'professional' :

1. Having two scripts, one for login / processing and then another for my user's home account page which will show his files on successful login.
The login script would post the username and password to itself then validate them. On success it should then automatically send the user to a completely different script/page -his main account home page.

OR

2. Have one script which is the home account page that also handles the login and validation?
This script will post the variables to itself and then on successful validation show the user's main account details.

Questions :

a. Which of these is more 'correct' and 'professional' ?

b. Is one more or less secure than the other from outside users/hackers? Assume no hacker gets access to inside the website file system.

c. For Login system number 1. which uses two different pages (one for a login page and another for the user's home account page) , how do I automatically load the main account page for the user AFTER his password/username are verified?

Or does php not have a way to do this?

I obviously don't want to make the user click a link to get to the main account page after he's been logged in successfully. He should automatically be taken there on successful login.

I could go with number 2. but I didn't know if it's good to have a single script handling multiple things like login forms, validation, and displaying the user's main account on successful login, etc.


Thanks for the help and ideas.

There's a login tutorial in the stickies subforum at the top of the page.

Hey cool, thanks for the reply.

I'll read it now.


I already know how to do it a certain way. I am not sure which way is better.


Hoping it answers my question of which type of system I should make.

Hi,

you can do pretty much anything as long as it makes sense in your specific setup. There's no difference with regard to security (as far as I can tell).

In modern frameworks, for example, you only have a single script to handle every request. The actual program logic is in the classes. Other websites use the classical approach of "one script per page".

In your case, putting both the content and the login logic into a single script makes no sense to me, because those are two separate aspects. So I'd make one script for the login, one for the account page and a function or script to check the login status on each page you want to protect.

Redirects are done with header('Location: ...'). The login check function would look something like this:


Apart from that: You should definitely replace your text files with an actual database. Flat files are extremely inefficent and prone to data corruption. If, for some reason, you find a fully featured database system like PostgreSQL or MySQL too heavyweight, you can use an embedded database like SQLite.

And you should not implement your own password hashing schema (as suggested in the link). Use a well tested library like PHPass instead.