How do you collect the PW?
How works your anthentication?
How do they gain access to home?
What PHP script starts your home page?

post script samples

hi henry0,
m not following any authentication algorithims. i just check for a valid user name thru database(mysql) then i retrieve password n compare it then display the homepage.

is it sufficient to validate thru it? or do i need to add some thing more? plz suggest.

Thanks

Dear An156,

start the session in both of your php file. in your login.php if the user give correct Username and Password the start the session like the below way

$_SESSION['username'] = $username ;

and in our home.php check if $_SESSION['username'] user name has any value or not. if it has then its okay and if it has not then generate error message

like

if($_SESSION['username']==''){
echo 'Oops you are not a valid user';
}

Thanks
Mahabub

In home.php you need to check for some sort of authentication that the user has been through the login.php. Typically this is done by using some sort of stored variables that can be seen on ALL your pages. The most common, easy and effective form is using PHP SESSIONS.

<when username and password checks out, store them>

<?
session_start();
$_SESSION['uid'] = $uid;
?>

<inside home.php, check to see if this variable exists>

<?
session_start();
if(isset($_SESSION['uid'])){
//if user is logged in -> continue
}
else{
//user not logged in -> error handler here
}
?>

hey mehabub & d40sithui,
Thankx a lot for ur valuable post. i really appreciate your work, thanks buddy :)

It should be noted that the above method is very simple/easy.

But it is not secure (if general security is required). Someone could spoof a session ID and gain access to another user/etc. If you want a "secure" login, you should employ a database to manage it. General idea: Store user data in DB (username, password, etc; remember to store the encrypted/hashed form of the password). When user logs in, authenticate user against database. Create session and store ID in database; as well as other relevant info such as IP address. Then to authenticate, grab the users session, check for it in the database, and confirm IPs match. In this method, it is harder for someone to "crack" in.

This is more complicated; and probably more than you need. Just wanted to make a note in case anyone else tries to employ the method. :)

hi CyBerAliEn!

I'm very much influenced by your idea to enhance our websites securities. could your plz give a demo or code to elaborate the topic.

once more thing, how can we use "https" in php?

First, using https is not necessary for a good login. Though it obviously makes it more secure, I would only really use https (myself) if I were dealing with customer transactions (or critically secure info).

Secondly, to do the method I noted requires a lot more code. I don't really have the personal time to write out how to do everything (sorry), but the following resources can help you learn and understand how to do it yourself (some of them you can download and use on your own site):

[php-login-script.com ]
[php.about.com ]
[devshed.com ]

Good luck! :)