Creating a login script

Forum Moderators: coopster

Message Too Old, No Replies

Creating a login script

PHP Log-in script

rob7591

2:22 pm on Mar 16, 2008 (gmt 0)

Hi,

I don't want to use a third party script being that I've done everything from scratch so far, but how do I do this?

I don't want like a full tutorial just the basic idea.

Do I store the username and the md5'd password in the session/cookies and do a login check every time a page is loaded?

That's, I guess the only real question I have, but if you have any other advice I'd appreciate it.

DrDoc

4:40 pm on Mar 16, 2008 (gmt 0)

1) Use PHP sessions.
2) Upon successful login, set a specific session variable
3) On each page view, check if that session variable exists, or else redirect to login page

When logging out, simply remove/unset the session variable in question.

By using PHP's session management, you can control for how long a session is valid and all that jazz too.

rob7591

4:55 pm on Mar 16, 2008 (gmt 0)

Ok, thanks..

But would someone be able to spoof that variable?

I was thinking:
$_SESSION['u'] = username
$_SESSION['p'] = md5'd pw

on each pageview
mysql_query("SELECT * FROM users where username = $_SESSION['u']")

while($user = mysql_fetch.... ) {
if (strcasecmp($user['password'], $_SESSION['p']) {
$userinfo = $user // userinfo is global
$logged_in = true
}
}

i'm just afraid of any security vulnerabilities

DrDoc

5:49 pm on Mar 16, 2008 (gmt 0)

Not unless they hijack the session.

And, you need not store the username in the session variable. Save yourself some trouble by simply setting

$_SESSION['logged_in'] = true

. Then you just check for that variable. No need to double-check username and password.

If your site supports multiple logins, simply use something like

$_SESSION['user'] = "username"

instead.