Page 1 of 2
User logins (cookies?)
Posted: Mon Mar 08, 2004 2:27 pm
by josh
I am makeing a user login ability on a new cms I have been designing with someone... we were wondering what the best way to have a user login would be? How would we encrypt something in php... we can store it in the database and read it back just fine

but its not secure haveing the password sent back to the browser un-encrypted..... once the user is verified and logged in etc.. how do we keep him logged in... we cant just make every link say ?username=something&pass=something can we.... cookies would be good for this i guess but we have no experience whatsoever...
any example code/ tips or anything is greatly appreciated
ps.. (uninimportant) whats the php command to say the current page's filename? so we can say users online =7 then list the page each ones on and say 2 are on this page etc....
Posted: Mon Mar 08, 2004 2:36 pm
by Deemo
Posted: Mon Mar 08, 2004 2:42 pm
by pickle
Ya, I'd use sessions. You can set up the connection to be https - that would secure the connection. Also, you could store and transmit the passwords as md5 hashes, not the actual password.
Posted: Mon Mar 08, 2004 3:16 pm
by josh
Ok how would I use https:// ive never used it before.. do i need to make something special in my files or something?
Posted: Mon Mar 08, 2004 3:22 pm
by pickle
well, it really depends on the server setup. For most servers, however, it can be just as simple as putting the 's' in the URL rather than just plain 'http'. The 's' tells the client and server to use SSL to communicate.
For example:
Code: Select all
header('Location: https://www.myserver.com');
would make a secure connection to myserver.com
Keep in mind that SSL has to be set up in order for this to work.
Posted: Mon Mar 08, 2004 4:01 pm
by josh
ok how would i use envryption on database... should i make a php script to encrypt what they enter on signup then on login encrypt that too then compare the 2 encrypted strings? how do i encrypt something in php?
Posted: Mon Mar 08, 2004 4:43 pm
by pickle
I assume you're talking about protecting the passwords? In the past, what I've done is hashed the password upon user signup, then stored that hashed password in the DB. Then, when a user logs in, I'd hash what they've typed, and compared that with what's in the DB. That way, their password isn't stored. However, a secure connection is required in order to prevent plain-text transmission between the browser and the server.
What I used to do is just use $encrypted = md5($password). However, you can also use crypt(), which can allow you to use stronger encryption methods like DES and Blowfish.
http://www.php.net/crypt
Posted: Mon Mar 08, 2004 6:00 pm
by josh
ok thanks that worked.. i dont understand how to use sessions tho
Posted: Mon Mar 08, 2004 6:10 pm
by Deemo
sessions are a very valuable part of php, and u shud definetly learn. when a session is started, a variable can be passed from one page to another in the $_SESSION array. so like lets say in index.php, u wrote in a form to redirect to check.php which has a section that says
Code: Select all
<?php
if (($UserName == $_POST['UserName']) and ($Password == $_POST['Password']))
{
$_SESSION['login'] == 'y';
}
?>
then, check.php redirects to index.php where it is checked to see if a user has loggin in or not:
Code: Select all
<?php
if (isset($_SESSION['login']))
//Display login info or whatever you want
else
//Display sign in box
?>
hope that helps
Posted: Mon Mar 08, 2004 6:37 pm
by josh
ok ill try that
Posted: Mon Mar 08, 2004 6:41 pm
by josh
how do I pass the session variable to index.php to see if he's logged in or not... when he logs in it now does this:
$_SESSION['login'] == 'y';
echo("<a href=wow.php>wow</a>");
then wow.php has exactly what u put :
<?php
if (isset($_SESSION['login']))
//Display login info or whatever you want
else
//Display sign in box
?>
it runs the code for not logged in
Posted: Mon Mar 08, 2004 6:52 pm
by Deemo
do you have session_start() at the beginning of each page? that is a necessity for sessions that i left out

. without that, $_SESSION is just another variable
Posted: Mon Mar 08, 2004 6:58 pm
by josh
k thnaks
ps.. i got stuck..
$_SESSION['login'] == 'y';
shoulda been
$_SESSION['login'] = 'y';
Posted: Mon Mar 08, 2004 7:04 pm
by Deemo
heh my bad, glad its working

Posted: Mon Mar 08, 2004 7:12 pm
by josh
ok now another problem *sighs*
i put sessionstart thing in my headerfile (so every page gets it) and it says headers already sent cant set session cache limit or something.... what do i do about this... also should i just send the username in the session id or their password also?