SitePoint Sponsor |
|
User Tag List
Results 1 to 6 of 6
Thread: Managing Users
-
Feb 12, 2004, 12:29 #1
- Join Date
- Jan 2004
- Location
- New York, NY
- Posts
- 621
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Managing Users
What is the best method for keeping managing my users? I don't think storing username and password in cookies is secure so I am trying to avoid that. My idea is storing the session ID in a cookie, and in a table along with the username. I just dont understand how I should go on about doing this. So my question really is what is the best way of keeping users logged in without storing username and pass in cookies.
SK
-
Feb 12, 2004, 13:07 #2
Hi Sharif,
Have you read Harry's article on access control? You should take a look at it.
http://www.sitepoint.com/article/1279
This may help.Erh
-
Feb 12, 2004, 17:01 #3
- Join Date
- Jan 2004
- Location
- New York, NY
- Posts
- 621
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Thanks for that link Mandibal. Maybe I should try the method that forums like vBulletin uses. So I ask, what is that method? I hope it's not storing the users account info in a cookie
SK
-
Feb 12, 2004, 17:10 #4
I havent disected the vBulletin method, but I'd assume that they dont store sensitive information like a password in a cookie. I think the big thing I took from Harrys article and I assume that this might some what standard is that even after a user initially logs in you act paranoid later. By this I mean if the user logs in then goes and wants to change a password or something you make them supply the original password again so you can check it against the db. Also dont store a password in clear text if you dont have to. Encode it at least with md5.
Erh
-
Feb 12, 2004, 17:10 #5
- Join Date
- Jan 2004
- Location
- Wheelersburg
- Posts
- 115
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Hey,
Whenever I delete all cookies from sitepoint, I am logged out.
When I viewed my cookies, it does look like they have it encrypted..Here is how I do it using cookies..
First, whenever a user registers, I set a md5($username)
and insert it into my db.
Whenever I set the cookie, I use the value of the md5 and set it in the cookie.
Now when checking for the user logged in, read the cookie, then SELECT * FROM table WHERE encrypt="$cookieval"
Just replace the encrypt with your row name, table with tablename, and cookieval with the actual cookies information.
I don't know if it is safe or not, but works for me
-
Feb 12, 2004, 18:36 #6
It seems there are questions about security here and there. I can sympathize with the confusion. There is a great article called "The Truth About Sessions" that can be found in this free d/l digital version of the mag:
https://www.entwickler.com/ssl/phppdf/Troy
Bookmarks