SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Thread: Managing Users

  1. #1
    SitePoint Guru SharifTK's Avatar
    Join Date
    Jan 2004
    Location
    New York, NY
    Posts
    621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Managing Users

    What is the best method for keeping managing my users? I don't think storing username and password in cookies is secure so I am trying to avoid that. My idea is storing the session ID in a cookie, and in a table along with the username. I just dont understand how I should go on about doing this. So my question really is what is the best way of keeping users logged in without storing username and pass in cookies.
    SK

  2. #2
    Mal Reynolds Mandibal's Avatar
    Join Date
    Aug 2003
    Location
    Columbus
    Posts
    718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Sharif,

    Have you read Harry's article on access control? You should take a look at it.
    http://www.sitepoint.com/article/1279
    This may help.
    Erh

  3. #3
    SitePoint Guru SharifTK's Avatar
    Join Date
    Jan 2004
    Location
    New York, NY
    Posts
    621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for that link Mandibal. Maybe I should try the method that forums like vBulletin uses. So I ask, what is that method? I hope it's not storing the users account info in a cookie
    SK

  4. #4
    Mal Reynolds Mandibal's Avatar
    Join Date
    Aug 2003
    Location
    Columbus
    Posts
    718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I havent disected the vBulletin method, but I'd assume that they dont store sensitive information like a password in a cookie. I think the big thing I took from Harrys article and I assume that this might some what standard is that even after a user initially logs in you act paranoid later. By this I mean if the user logs in then goes and wants to change a password or something you make them supply the original password again so you can check it against the db. Also dont store a password in clear text if you dont have to. Encode it at least with md5.
    Erh

  5. #5
    SitePoint Zealot
    Join Date
    Jan 2004
    Location
    Wheelersburg
    Posts
    115
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey,

    Whenever I delete all cookies from sitepoint, I am logged out.

    When I viewed my cookies, it does look like they have it encrypted..Here is how I do it using cookies..

    First, whenever a user registers, I set a md5($username)
    and insert it into my db.

    Whenever I set the cookie, I use the value of the md5 and set it in the cookie.

    Now when checking for the user logged in, read the cookie, then SELECT * FROM table WHERE encrypt="$cookieval"

    Just replace the encrypt with your row name, table with tablename, and cookieval with the actual cookies information.

    I don't know if it is safe or not, but works for me

  6. #6
    SitePoint Addict Knightime's Avatar
    Join Date
    Jan 2003
    Location
    USA
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It seems there are questions about security here and there. I can sympathize with the confusion. There is a great article called "The Truth About Sessions" that can be found in this free d/l digital version of the mag:

    https://www.entwickler.com/ssl/phppdf/
    Troy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •