SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Zealot DarkMonkey's Avatar
    Join Date
    Apr 2001
    Location
    uk
    Posts
    170
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Logging people in.

    I have a field for user with a 'user' and 'password' field. I would like for users to be able to log in forever until they decide to logout, or at least for a long time. Once logged in the site tracks things like pageviews and such for them and keeps their personal settings.

    The point is: Until now I have taken the username variable which is placed in a cookie when they login to check whether they have, indeed, logged in.

    PHP Code:
    if($login){
    echo 
    "Welcome $login";
    } else { echo 
    "Click here to login"; } 
    Like so. I can't use the password variable to authenticate as it might not be unique. I gather personal data by selecting from users where username='$login'. The thing is, this is obviously not very safe. Somebody can find a username by going to the memberlist and just type in url.php?login=username to falsy mess with that persons pages.

    It's unlikely the people know that the $login variable exists but still it's a serious security hazzard. Users can't view the profile of the user without a valid login as I have stopped url $login variables from working on that page so they can't find the password but I'm still not happy about it. I'm sure they could setup forms to artificially send the data or something. Plus it just seems like an innaficient system.

    The question I'm asking is: What is the best way to log people in for extended periods of time? How would you go about doing this from the username/password they provide when they do so?

    Thanks for any help.

  2. #2
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only way that i know of to keep them logged in for a long time is with cookies.
    but what i'd advise is to check the username AND password when it's submitted, that way it won't matter if someone does the whatever.php?login=username, cause it won't work without the appropriate password.
    But if i were you, i'd make sure either the username or password is unique by checking them when someone joins.
    Not doing so is just asking for trouble.
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  3. #3
    SitePoint Zealot DarkMonkey's Avatar
    Join Date
    Apr 2001
    Location
    uk
    Posts
    170
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The Username is unique, but the password isn't. That is fairly common practice I believe. If somebody were to enter a password and it said 'That's already been taken' then they could theoretically go through all the usernames until they found the person with that password.

    Are you suggesting I set 'two' cookies on their computer and check both of them? if($login & $password){ select from users where username='$login' and password='$password'; } ... ?

  4. #4
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i would believe you can store both the username and password in one cookie.

    and what i meant is not both unique, one OR the other, not both.

    and btw, the code if($login) only checks that theres something in $login, not that it contains the appropriate username.
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  5. #5
    SitePoint Member
    Join Date
    Oct 2001
    Location
    Toronto, Canada
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1. Create a table called sessions or something like that.
    2. Create 3 fields: id, username, password
    3. When the user first logs in, create a new row, and store the row's id in the user's cookie.
    4. On every subsequent page, use the value in the cookie to look up the username and password.
    5. Then use "SELECT * FROM users WHERE username = '$username' and password = '$password'" to check if the information is correct.
    6. If the user clicks on logout, delete the cookie and delete the row that held the username and password.

    I think that'll work pretty good.

  6. #6
    SitePoint Zealot DarkMonkey's Avatar
    Join Date
    Apr 2001
    Location
    uk
    Posts
    170
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Defender: I have been quoting from memory rough code but if($login) is just used to see if there is a cookie. Then I do selects based on that value. If it's not a valid username then no data comes through. The login variable should have the Username in it, however, as it is only set when they login successfully and basically that's my main problem. Just stopping people changing it from the url or whatever.

    Hyfen. How does that fix the problem. Can't people just type in www.url.com/page.php?cookiename=50 and get in under somebody else?

  7. #7
    SitePoint Member
    Join Date
    Oct 2001
    Location
    Toronto, Canada
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yeah shoot. I wasn't thinking...

    Take my idea and just add a bit of extra security.

    Add a column in the table and call it timestamp.

    When the user logs in, get the time in microseconds and put it into the session table. Also record this timestamp in the cookie.

    If the timestamps don't match, don't let them in.

  8. #8
    SitePoint Zealot DarkMonkey's Avatar
    Join Date
    Apr 2001
    Location
    uk
    Posts
    170
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I like it
    Thanks lots!

  9. #9
    SitePoint Member
    Join Date
    Oct 2001
    Location
    Toronto, Canada
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No problem. Just make sure the timestamp is long enough.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •