User logins (cookies?)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

User logins (cookies?)

Post by josh »

I am makeing a user login ability on a new cms I have been designing with someone... we were wondering what the best way to have a user login would be? How would we encrypt something in php... we can store it in the database and read it back just fine :-) but its not secure haveing the password sent back to the browser un-encrypted..... once the user is verified and logged in etc.. how do we keep him logged in... we cant just make every link say ?username=something&pass=something can we.... cookies would be good for this i guess but we have no experience whatsoever...

any example code/ tips or anything is greatly appreciated


ps.. (uninimportant) whats the php command to say the current page's filename? so we can say users online =7 then list the page each ones on and say 2 are on this page etc....
Deemo
Forum Contributor
Posts: 418
Joined: Sun Jan 18, 2004 11:48 am
Location: Washington DC

Post by Deemo »

User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Ya, I'd use sessions. You can set up the connection to be https - that would secure the connection. Also, you could store and transmit the passwords as md5 hashes, not the actual password.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Ok how would I use https:// ive never used it before.. do i need to make something special in my files or something?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

well, it really depends on the server setup. For most servers, however, it can be just as simple as putting the 's' in the URL rather than just plain 'http'. The 's' tells the client and server to use SSL to communicate.

For example:

Code: Select all

header('Location: https://www.myserver.com');
would make a secure connection to myserver.com

Keep in mind that SSL has to be set up in order for this to work.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

ok how would i use envryption on database... should i make a php script to encrypt what they enter on signup then on login encrypt that too then compare the 2 encrypted strings? how do i encrypt something in php?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

I assume you're talking about protecting the passwords? In the past, what I've done is hashed the password upon user signup, then stored that hashed password in the DB. Then, when a user logs in, I'd hash what they've typed, and compared that with what's in the DB. That way, their password isn't stored. However, a secure connection is required in order to prevent plain-text transmission between the browser and the server.

What I used to do is just use $encrypted = md5($password). However, you can also use crypt(), which can allow you to use stronger encryption methods like DES and Blowfish.

http://www.php.net/crypt
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

ok thanks that worked.. i dont understand how to use sessions tho
Deemo
Forum Contributor
Posts: 418
Joined: Sun Jan 18, 2004 11:48 am
Location: Washington DC

Post by Deemo »

sessions are a very valuable part of php, and u shud definetly learn. when a session is started, a variable can be passed from one page to another in the $_SESSION array. so like lets say in index.php, u wrote in a form to redirect to check.php which has a section that says

Code: Select all

<?php
if (($UserName == $_POST['UserName']) and ($Password == $_POST['Password']))
{
  $_SESSION['login'] == 'y';
}

?>
then, check.php redirects to index.php where it is checked to see if a user has loggin in or not:

Code: Select all

<?php
if (isset($_SESSION['login']))
   //Display login info or whatever you want
else
   //Display sign in box
?>
hope that helps
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

ok ill try that
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

how do I pass the session variable to index.php to see if he's logged in or not... when he logs in it now does this:

$_SESSION['login'] == 'y';
echo("<a href=wow.php>wow</a>");


then wow.php has exactly what u put :

<?php
if (isset($_SESSION['login']))
//Display login info or whatever you want
else
//Display sign in box
?>


it runs the code for not logged in
Deemo
Forum Contributor
Posts: 418
Joined: Sun Jan 18, 2004 11:48 am
Location: Washington DC

Post by Deemo »

do you have session_start() at the beginning of each page? that is a necessity for sessions that i left out :?. without that, $_SESSION is just another variable
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

k thnaks

ps.. i got stuck..
$_SESSION['login'] == 'y';
shoulda been
$_SESSION['login'] = 'y';
Deemo
Forum Contributor
Posts: 418
Joined: Sun Jan 18, 2004 11:48 am
Location: Washington DC

Post by Deemo »

heh my bad, glad its working :lol:
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

ok now another problem *sighs*

i put sessionstart thing in my headerfile (so every page gets it) and it says headers already sent cant set session cache limit or something.... what do i do about this... also should i just send the username in the session id or their password also?
Post Reply