Page 1 of 1
Authentication
Posted: Tue Jan 13, 2004 1:27 pm
by phpcoder
What is the best way of authenticating user on site .one that i do is creating form hetting user name and pass and then validating it from database .But let say the login page or index page uri is
http://www.hahah.com/index.php
and after validation valid user are direected to usermain.php
but if some one knws the uri
http://www.hahaha.com/usermain.php the he can go to this page directly without authentication so howcan u stop this . either by using sessons or wat . and also wanna disscuss that is this is the best way of authenticating user specially administration area of website .
Posted: Tue Jan 13, 2004 2:51 pm
by Sevengraff
I set a cookie that holds the user_id and an md5 hash of the users password. On every page I check the password against the database. If the cookie doesn't exist of if the password doesn't match, then the user isn't considered loged-in, and isn't allowed into restricted places.
Posted: Tue Jan 13, 2004 2:58 pm
by Straterra
I like to use sessions, with just an encrypted form of the users username. And I check if the session exists..if it does, then it checks the validity of the session data...then if all is well, it shows them as logged in.
Re: Authentication
Posted: Tue Jan 13, 2004 3:11 pm
by Paddy
phpcoder wrote:
and after validation valid user are direected to usermain.php
but if some one knws the uri
http://www.hahaha.com/usermain.php the he can go to this page directly without authentication so howcan u stop this .
At the top of every page in my member's sections I test either a session variable or cookie and if the test fails I redirect them back to the login page. That way if they know the url of a page in the member's section it will get them nowhere.
Posted: Tue Jan 13, 2004 3:14 pm
by phpcoder
Sevengraff wrote:I set a cookie that holds the user_id and an md5 hash of the users password. On every page I check the password against the database. If the cookie doesn't exist of if the password doesn't match, then the user isn't considered loged-in, and isn't allowed into restricted places.
10x 4 ur reply can u tell me about how 2 use md5 hash .
Posted: Tue Jan 13, 2004 3:17 pm
by patrikG
[php_man]md5[/php_man]
Posted: Tue Jan 13, 2004 3:24 pm
by Straterra
Hm...there isn't a way to decode MD5, is there?
Posted: Tue Jan 13, 2004 3:29 pm
by phpcoder
Straterra wrote:Hm...there isn't a way to decode MD5, is there?
yep thz the point MD5 is digesting algo so how u can decode it !
Posted: Tue Jan 13, 2004 3:35 pm
by patrikG
You can't decode MD5. You can try to brute-force it but that's silly and useless and takes ages. So no haxxoring, sorry guys.
Posted: Tue Jan 13, 2004 3:54 pm
by phpcoder
Sevengraff wrote:I set a cookie that holds the user_id and an md5 hash of the users password. On every page I check the password against the database. If the cookie doesn't exist of if the password doesn't match, then the user isn't considered loged-in, and isn't allowed into restricted places.
Then how its possible to compare database password ,which i think will be in plain text ,with md5 encrypted password .
Posted: Tue Jan 13, 2004 4:01 pm
by patrikG
[php_man]md5[/php_man] user notes in that fine PHP manual:
Rizwan Kaif
01-Aug-2003 04:58
The md5() function is very useful for Password encryption. Keep in mind that we can not Decrypt it.
The most simplest method to use md5() function PHP with MySQL is as follows:
Insert the record into the MySQL Database using a query like:
$query = "INSERT INTO user VALUES ('DummyUser',md5('DummyPassword'))";
And then for matching the password use:
$password = md5($password);
$query = "SELECT * FROM user WHERE username='DummyUser' AND password='DummyPassword'";
In the above code you can use your Variables instead of DummyUser & DummyPassword. The length of the Password field in my DB is 60 char.
Hope this helps!!
Posted: Wed Jan 14, 2004 3:32 am
by krash_control
Patrickg that sounds like a really good way of storing the password. I am just wondering though, is it at all possible that someone can intercept the plain text password as it is being submitted? I don't mean by means of a keylogger etc on the client side, but from the posting of the page.
I am thinking it's unlikely as they would need access to your server and the password seems to get encrypted almost immediately and before being used, but am not sure.
Posted: Wed Jan 14, 2004 3:38 am
by patrikG
Yup, that's possible. You'd have to connect via a secure connection to prevent that.
You can, however, md5 a string client-side in Javascript, which has it's own security implications.