#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    31
    Rep Power
    66

    Php login choices and questions.


    php login system questions.

    I did a search for login posts on here and found some but so far didn't see any that answered my questions so thanks for the help.


    Hi guys, I'm developing a user login system for my site and although I think I understand how to do this correctly checking against a database or in my case a text file which stores the usernames and passwords (hashed) and using using php sessions to hold the validated users state across different pages, I am not exactly sure about a couple of things.


    I am thinking of two different ways to do this and I am not sure which is more correct or more 'professional' :

    1. Having two scripts, one for login / processing and then another for my user's home account page which will show his files on successful login.
    The login script would post the username and password to itself then validate them. On success it should then automatically send the user to a completely different script/page -his main account home page.

    OR

    2. Have one script which is the home account page that also handles the login and validation?
    This script will post the variables to itself and then on successful validation show the user's main account details.

    Questions :

    a. Which of these is more 'correct' and 'professional' ?

    b. Is one more or less secure than the other from outside users/hackers? Assume no hacker gets access to inside the website file system.

    c. For Login system number 1. which uses two different pages (one for a login page and another for the user's home account page) , how do I automatically load the main account page for the user AFTER his password/username are verified?

    Or does php not have a way to do this?

    I obviously don't want to make the user click a link to get to the main account page after he's been logged in successfully. He should automatically be taken there on successful login.

    I could go with number 2. but I didn't know if it's good to have a single script handling multiple things like login forms, validation, and displaying the user's main account on successful login, etc.


    Thanks for the help and ideas.
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,690
    Rep Power
    6351
    There's a login tutorial in the stickies subforum at the top of the page.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    31
    Rep Power
    66
    Originally Posted by ManiacDan
    There's a login tutorial in the stickies subforum at the top of the page.
    Hey cool, thanks for the reply.

    I'll read it now.


    I already know how to do it a certain way. I am not sure which way is better.


    Hoping it answers my question of which type of system I should make.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    Hi,

    you can do pretty much anything as long as it makes sense in your specific setup. There's no difference with regard to security (as far as I can tell).

    In modern frameworks, for example, you only have a single script to handle every request. The actual program logic is in the classes. Other websites use the classical approach of "one script per page".

    In your case, putting both the content and the login logic into a single script makes no sense to me, because those are two separate aspects. So I'd make one script for the login, one for the account page and a function or script to check the login status on each page you want to protect.

    Redirects are done with header('Location: ...'). The login check function would look something like this:
    PHP Code:
    // call this on top of every protected page
    function check_login_status() {
        
    session_start();
        if (!isset(
    $_SESSION['user_id'])) {    // not logged in? redirect to login page
            
    header('Location: login.php');
            die();
        }    

    Apart from that: You should definitely replace your text files with an actual database. Flat files are extremely inefficent and prone to data corruption. If, for some reason, you find a fully featured database system like PostgreSQL or MySQL too heavyweight, you can use an embedded database like SQLite.

    And you should not implement your own password hashing schema (as suggested in the link). Use a well tested library like PHPass instead.

IMN logo majestic logo threadwatch logo seochat tools logo