authentication verification
am 29.05.2008 20:56:57 von DeadTOm
So the user comes to the site and they're presented with a log in page.
They enter they're username and password and php checks a mysql database
for a matching username and password.
If there is a match, it responds with 1 line found. If no match, it
responds with 0 lines found.
In the case of a match, php then sets a cookie on their browser with a
value of 1 for authenticated and 0 for not authenticated. Every
subsequent page the user views checks the status of this cookie and if
it's a zero it kicks them back to the log in page. This
cookie expires in 5 days and after that they'll have to log in again.
I'm aware that this is terribly easy to circumvent by creating/modifying a
cookie with the 1 value and the site thinks you've passed muster.
What is a better way of doing this?
--
DeadTOm
http://www.mtlaners.org
deadtom@mtlaners.org
A Linux user since 1999.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: authentication verification
am 04.06.2008 08:39:13 von Goltsios Theodore
O/H DeadTOm ??????:
> So the user comes to the site and they're presented with a log in page.
> They enter they're username and password and php checks a mysql database
> for a matching username and password.
> If there is a match, it responds with 1 line found. If no match, it
> responds with 0 lines found.
> In the case of a match, php then sets a cookie on their browser with a
> value of 1 for authenticated and 0 for not authenticated. Every
> subsequent page the user views checks the status of this cookie and if
> it's a zero it kicks them back to the log in page. This
> cookie expires in 5 days and after that they'll have to log in again.
> I'm aware that this is terribly easy to circumvent by creating/modifying a
> cookie with the 1 value and the site thinks you've passed muster.
> What is a better way of doing this?
>
> --
>
> DeadTOm
> http://www.mtlaners.org
> deadtom@mtlaners.org
> A Linux user since 1999.
>
>
The alternative way is probably the sessions which is not really
different is you plan to store just an authentication property of 0/1
into the cookie.
The difference is that a session is created that stores some data like
e-mail, frontend etc on the server and not in the cookie as described in
the previous method. Although in order browser to track down the session
sends to the server a session id which should be posted in the "url" or
it can be set automatically by php in a cookie :-) .
So you will need to put something in the cookie after all if you choose
to do it this way but it would be a session id. However have in mind
that you may have more control over sessions because you can configure
your server to make great deal of things like say eliminate all sessions
every say 5 minutes.
I don't know if this was much of a help.
--
Thodoris
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php