Authentication
Moderator: General Moderators
Authentication
What is the best way of authenticating user on site .one that i do is creating form hetting user name and pass and then validating it from database .But let say the login page or index page uri is http://www.hahah.com/index.php
and after validation valid user are direected to usermain.php
but if some one knws the uri http://www.hahaha.com/usermain.php the he can go to this page directly without authentication so howcan u stop this . either by using sessons or wat . and also wanna disscuss that is this is the best way of authenticating user specially administration area of website .
and after validation valid user are direected to usermain.php
but if some one knws the uri http://www.hahaha.com/usermain.php the he can go to this page directly without authentication so howcan u stop this . either by using sessons or wat . and also wanna disscuss that is this is the best way of authenticating user specially administration area of website .
- Sevengraff
- Forum Contributor
- Posts: 232
- Joined: Thu Apr 25, 2002 9:34 pm
- Location: California USA
- Contact:
-
Paddy
- Forum Contributor
- Posts: 244
- Joined: Wed Jun 11, 2003 8:16 pm
- Location: Hobart, Tas, Aussie
- Contact:
Re: Authentication
At the top of every page in my member's sections I test either a session variable or cookie and if the test fails I redirect them back to the login page. That way if they know the url of a page in the member's section it will get them nowhere.phpcoder wrote: and after validation valid user are direected to usermain.php
but if some one knws the uri http://www.hahaha.com/usermain.php the he can go to this page directly without authentication so howcan u stop this .
10x 4 ur reply can u tell me about how 2 use md5 hash .Sevengraff wrote:I set a cookie that holds the user_id and an md5 hash of the users password. On every page I check the password against the database. If the cookie doesn't exist of if the password doesn't match, then the user isn't considered loged-in, and isn't allowed into restricted places.
Then how its possible to compare database password ,which i think will be in plain text ,with md5 encrypted password .Sevengraff wrote:I set a cookie that holds the user_id and an md5 hash of the users password. On every page I check the password against the database. If the cookie doesn't exist of if the password doesn't match, then the user isn't considered loged-in, and isn't allowed into restricted places.
[php_man]md5[/php_man] user notes in that fine PHP manual:
Rizwan Kaif
01-Aug-2003 04:58
The md5() function is very useful for Password encryption. Keep in mind that we can not Decrypt it.
The most simplest method to use md5() function PHP with MySQL is as follows:
Insert the record into the MySQL Database using a query like:
$query = "INSERT INTO user VALUES ('DummyUser',md5('DummyPassword'))";
And then for matching the password use:
$password = md5($password);
$query = "SELECT * FROM user WHERE username='DummyUser' AND password='DummyPassword'";
In the above code you can use your Variables instead of DummyUser & DummyPassword. The length of the Password field in my DB is 60 char.
Hope this helps!!![]()
-
krash_control
- Forum Newbie
- Posts: 14
- Joined: Mon Jan 12, 2004 10:02 am
- Location: United Kingdom
- Contact:
Patrickg that sounds like a really good way of storing the password. I am just wondering though, is it at all possible that someone can intercept the plain text password as it is being submitted? I don't mean by means of a keylogger etc on the client side, but from the posting of the page.
I am thinking it's unlikely as they would need access to your server and the password seems to get encrypted almost immediately and before being used, but am not sure.
I am thinking it's unlikely as they would need access to your server and the password seems to get encrypted almost immediately and before being used, but am not sure.