#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    33
    Rep Power
    15
    I'm handling user authentication on our IIS 4 server with php4 and sessions. When a user logs in right now, it checks their entered password to a mysql database and if it finds their login and pw, it sets $logged to 1. By default, when the page is loaded, $logged becomes 0. Is this very secure? Could someone just do http://path.to/script.php?logged=1 and pass right through? If so, whats the best way with php/mysql that I should handle user authentication. Also how could I encrypt the password that is stored in the database, either before it's sent to the database, or when it arrives there.

    Thanks in advance,

    -Justin
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    23
    Rep Power
    0
    Take a session ID when authentication is good. When session ID in combination with session ID is used, within let's say 15 minutes (updating the time) it's pretty secure.

    Mzzls
    Dave
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    8
    Rep Power
    0
    <BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by trahma:
    I'm handling user authentication on our IIS 4 server with php4 and sessions. When a user logs in right now, it checks their entered password to a mysql database and if it finds their login and pw, it sets $logged to 1. By default, when the page is loaded, $logged becomes 0. Is this very secure? Could someone just do http://path.to/script.php?logged=1 and pass right through? If so, whats the best way with php/mysql that I should handle user authentication. Also how could I encrypt the password that is stored in the database, either before it's sent to the database, or when it arrives there.
    -Justin
    [/quote]

    Use the PHP md5($password) statement to store and compare crypted passwords. It's a lot more secure and means you don't have to store the actual password in the database, just the MD5 hash. As for people putting ?logged=1 in the URL ... if your code sets $logged to 0 unless logged in, then the URL-entered variable gets overwritten. No problem.

    I've got a fairly comprehensive authentication script if anyone fancies it. Email me.

    ------------------
    --
    Does anyone else find it kinda perverse that we're using a Perl BBS to discuss PHP? ;-)

Similar Threads

  1. Can user A read user B's session?
    By Stupid Khor in forum PHP Development
    Replies: 9
    Last Post: May 11th, 2004, 06:19 AM
  2. Stopping form submittion until user clicks Agree button
    By leemeisner in forum HTML Programming
    Replies: 2
    Last Post: April 13th, 2004, 11:46 AM
  3. php user levels
    By dynasty in forum PHP Development
    Replies: 1
    Last Post: January 20th, 2004, 03:01 PM
  4. How to get multiple sessions for one user working?
    By jkoerber in forum PHP Development
    Replies: 1
    Last Post: January 16th, 2004, 02:23 PM
  5. Is there a drop-in user control module?
    By Kent Wang in forum PHP Development
    Replies: 3
    Last Post: December 20th, 2003, 06:20 AM

IMN logo majestic logo threadwatch logo seochat tools logo