SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Flat file login system as opposed to cookies

    What would all your thougts be on using flat files stored on the server to login as an alternative to cookies? (this is assuming cookies are disabled)
    I have a lot of code, and trying to append the SID to every link isn't something i'm looking forward to, so if i can find an alternative i'm all for it.

    Basically, when the username/pw is submitted, i'd check the values in the db.
    If they match, i'll create a small txt file with the user/pw stored in it in which each page would check.

    On logout the file would be deleted.
    This would be a good option for keeping them logged in indefinately as it works just like a cookie.
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  2. #2
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How would each individual page script know which flat text file to chek for the saved information? If there is only one text file then more than one user on the site at the time will cause the system to break, but if there is more than one text file (one for each user) then you'll need some way of identifying which text file belongs to which user session - meaning you're back to a session ID or cookie...

  3. #3
    PHP warrior dkode's Avatar
    Join Date
    Sep 2001
    Location
    Planet Namek
    Posts
    329
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    that does sound like a good idea. if you recompile php and use --with-trans-sid i beleive, it will automatically append the session id onto the url. i redid all of my links on one site but there was only about 10-15 links so it wasnt a big deal. If you have alot of links I would suggest recompiling while adding in that compile option.
    "Mankind cannot define memory, yet it defines mankind"
    -- Project 2501, Ghost in the Shell

    Smarty | PEAR | PHP Manual | MySQL Manual

  4. #4
    epsilon transition cupid's Avatar
    Join Date
    Aug 2001
    Location
    Kent, Ohio
    Posts
    367
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sounds like a pretty good solution to me Defender. I see 3 possible things that you may want to keep in check.

    1) Security. You would have to make the file world readable.. so you should probably encrypt the passwords.

    2) Efficiency. If you're expecting a heavy load of registered users browsing through your website at once, (unless I'm misunderstanding your schema) you may want to keep in mind that every page load would result in reading the file.

    3) Quota. I understand that you're creating a new file for each user that logs in. Size can be neglected since it's just a small data file. How many files your web server allows you to have, however, can lead to some headaches when debugging You may want to check in with your web hosting service to see what your file limit is.. if it's something insubstantial, have them increase it. It shouldn't be too big of a hassle.. they're usually more interested in how much space you're taking up

    In regards to appending SID, (and as discussed with freddie on another thread) it should automatically append if you enable session.use_trans_sid. This will, only work if php was compiled with this capability.

    By the way, if you're using just one file to keep track of these users, disregard what I said about quotas. But that leads to my next question: how does it know which entry to look for? If you're using multiple files, how does it know which file to check?
    Last edited by cupid; Nov 14, 2001 at 22:52.

  5. #5
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1.) Yea, i'd encrypt the pw's. is hash() or md5() for encryption?

    2.) I don't expect that heavy of a load as this is an alternative to cookies. I'd assume a good number would choose cookies to login.

    3.) I'll have to contact my host, as i had no idea there was a limit on the number of files.

    I'm also 99% sure trans-id wasn't compiled with php. And I also doubt my host would recompile just so i could have that option.

    With regards to how to know which file to grab, i'll store the username in the script, and give it a name the same as the username, with some random numbers attached or some other method to uniquely name it so someone can't guess the filename.
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  6. #6
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Defender1
    With regards to how to know which file to grab, i'll store the username in the script, and give it a name the same as the username, with some random numbers attached or some other method to uniquely name it so someone can't guess the filename.
    So you'll be passiong that value each time a new page is loaded - sounds like a session identifier to me I still don't see the difference between what you are suggesting and normal session based state maintenance - you still have to pass a variable from one script to another (in this case the username + a few characters) which is what you would be doing with normal sessions.

  7. #7
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes, it's just like sessions, but unless my host recompiles php with trans id, i will have to add the SID to every link on the site to hold the session info for those who opt not to use cookies.
    Since the site is 90% complete, that's a LOT of editing, and i'm looking for alternatives at this point.
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  8. #8
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But surely with the method you are suggesting you will STILL need to append something to every link on the site - only you'll be adding your username-and-a-f-ew-random-characters to the URLs instead of the session ID.

    It might be worth considering URL rewriting if you are allowed to use Apache .htaccess files - that way you can "hide" the session in a URL like this:

    site.com/blah/20394834893843/index.php

    The script can then analyse the URL and extract the session ID from the path. How is this different from appending the session ID to the query string? Simple - using this method you can have relative links in your scripts i.e

    <a href="members.php">Members Page</a>

    But when the user clicks on them they will be taken to a URL like this:

    site.com/blah/20394834893843/members.php

    i.e the session ID will stay there thanks to the relative link

  9. #9
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    couldn't i register a global variable once they've logged in and keep the filename in there?
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  10. #10
    SitePoint Wizard johnn's Avatar
    Join Date
    Mar 2001
    Location
    Southern California, USA
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Below is the discussion that I copied from discussion at php.net some times ago. I haven't used it yet.

    Use Javascript to automatically append the SID to the ends of the URLs in your page. Put this snippet at the end of your file:

    <pre>
    <script>

    function addvar(href, variable, value)
    {
    if(href.indexOf('?') != -1)
    {
    return href + '&' + variable + '=' + value;
    }
    else
    {
    return href + '?' + variable + '=' + value;
    }
    }

    for(i = 0; i < document.anchors.length; i++)
    {
    with(document.anchors[i])
    {
    href = addvar(href, 'SID', '&lt;?php echo $SID ?>');
    }
    }
    for(i = 0; i < document.forms.length; i++)
    {
    with(document.forms[i])
    {
    action = addvar(action, 'SID', '&lt;?php echo $SID ?>');
    }
    }

    </script>

    </pre>
    -------------------------------------------------
    chernyshevsky@hotmail.com has a great idea with the client-side javascript filling in the PHP SID. I have two fixes:

    Add this to the top of the addvar function to prevent appending to links that are javascript calls:

    if (href.indexOf ("javascript") != -1) return href;

    Add this loop to iterate the <a href ...> elements (anchors only iterates named anchors):

    for (i = 0; i < document.links.length; i++)
    {
    with (document.links [i])
    {
    href = addvar (href, session_id);
    }
    }

  11. #11
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Defender1
    couldn't i register a global variable once they've logged in and keep the filename in there?
    Nope, that's not how global variables work. A global variable still only exists for the duration of the current script you are running, the difference is that it's scope now includes functions within the script where it would normally not be visible. The only way to retain variable information across different page loads is with hidden form fields, data passed in the query string or cookies.

    Incidentally I'd advise against a javascript solution, as users who have cookies turned off are reasonably likely to have javascript turned off as well.
    Last edited by Skunk; Nov 15, 2001 at 07:22.

  12. #12
    epsilon transition cupid's Avatar
    Join Date
    Aug 2001
    Location
    Kent, Ohio
    Posts
    367
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Defender1
    I'll have to contact my host, as i had no idea there was a limit on the number of files.
    Yes for unix webservers they can set quotas on the number of files. I don't know if this is true if your site is hosted on NT.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •