SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Mar 2003
    Location
    UK
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP CMS - Log-In system...

    Hi people,

    I've almost finished making a CMS in PHP, all that's left is the code for logging people in... ie. you have to enter a username and password to access the CMS, so that not just anyone can go on and change the content of the site.

    How would everyone recommend I go about programming this? Sessions, cookies, HTaccess?

    What's the easiest, quickest, securist, best-est way?

    I would be greatly appreciative of any opinions.

    Cheers,
    eman

  2. #2
    Non-Member
    Join Date
    Oct 2004
    Location
    downtown
    Posts
    145
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Far from an advanced topic, none the less you might want to look at Harry's anphology articles here at sitepoint, as there is an access/login feature around page 14/15 if I remember.

    If you want to protect your CMS content you may want to implement a role based privelege system of which there are a few available freely. Try Google to see what that returns for you.

  3. #3
    SitePoint Member
    Join Date
    Oct 2004
    Location
    Arlington, VA
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sounds like you are talking about rudimentary authorization. You either let people change a site or not. The username/password login is the authentication part. You want to verify someone's identity, and the quickest, easiest way is not the most secure. Security and easy/quick are usually different ends of a seesaw.
    Your easiest way is to use someone's login code. You might check phpclasses.org

  4. #4
    SitePoint Wizard Mike Borozdin's Avatar
    Join Date
    Oct 2002
    Location
    Edinburgh, UK
    Posts
    1,743
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, you can use sessions for storing some users details during a session and cookies for automatical loggin-in on visiting your site next time.

  5. #5
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Ontario Canada
    Posts
    235
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For my security panel login (to view logs, block user etc...) I use sessions.

    Basically when someone goes on that page, it checks if the user has a cookie, if he does, it checks if the content (session) matches with the one in the database, if yes it shows the requested page.

    If not it shows the login screen, and when a user logs in, it compares the MD5 value of the entered password with the MD5 one in the db, if it matches then it produces a random session hash. I did not calculate but the way it's setup the ods of it being the same as an other is very slim. It even MD5's the user's IP address in that pr ocess, along with a bunch of random numbers. It's like a big salad of random values just MD5ed together. Then that hash is stored in the database for that user, and in a cookie.

    So it's a pretty secure system and there's tons of security checks. If someone tries to guess the (25 char) password and get it wrong they're blocked from the system.

    For a public login, you'd want to give something like 3 tries then lock them out for a certain ammount of time, but for my particular system, me and the site staff are the one ones that use it and the password is part of the link to the login page. (not something I'd do on a public network).

    Logins are fairly easy to make, they just require lot of thinking from a hacker's point of view to figure out ways to bypass it, since you want to block all those ways.

    Sessions are probably the best since even if someone steals your cookie, it won't be good by the time they get it.

    A step further would to be enter a randomly generated code to login, so it can't be brute forced.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •