best option : login

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Think Pink
Forum Contributor
Posts: 106
Joined: Mon Aug 02, 2004 3:29 pm

best option : login

Post by Think Pink »

hy.
i have to make an admin page with a login form on it. after the admin logs in he then can update the site content.
i'm not shure what to use. I read a lot about this and now i'm completly scared of login pages.

I can choose between :
1. HTTP Authentification
2. PEAR:: Auth
3. $_SESSION
4. $_COOKIE

What do you recomand?
I mean, what would be your options or what you usually use?

Thx
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

I usually use $_SESSIONs, and $_COOKIEs if they require to "Stay logged in".
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

title

Post by John Cartwright »

I recommend sessions while the user is logged on, and then back up it up with a cookie so they can stay logged in even when the browser is closed
wasabi
Forum Newbie
Posts: 17
Joined: Sat Sep 04, 2004 9:38 am
Location: Adelaide

Sessions

Post by wasabi »

I use session. Once you have one written the rest is history. If you want my code just message me.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Options to keep track of authenticated user:
- http authentication (do all browsers support this?) has the nasty limitation that it's impossible to logout without closing the browser window (afaik)

- cookies can be painfull if the user doesn't accept them

- sessions are what i prefer ;)


To validate the users (and lookup their permissions) i use my own interface with methods:

- login ($credentials);
- logout ();
- isAllowed();
- getAllowedScripts();
- getAllowedProperties($script);
Last edited by timvw on Mon Sep 06, 2004 8:18 am, edited 1 time in total.
User avatar
Think Pink
Forum Contributor
Posts: 106
Joined: Mon Aug 02, 2004 3:29 pm

best option : login

Post by Think Pink »

thx guys.
I know how to create the script, but I didn't know what should use.
So far I used SESSIONS, but I read an article "how to create a secure PHP login script" don't remember where or who wrote it (sorry) and it said this.
...users with shell acces to the web server can scan valid session id's if the default /tmp directory is used to store the session data.

Somebody who has a site (on a shared host with you) can generate valid session for your site.
User avatar
Sema
Forum Commoner
Posts: 34
Joined: Fri Sep 03, 2004 12:43 pm
Location: Aalborg, Denmark

Post by Sema »

If you trust the server you are on, then theres no problem there.
User avatar
Luis Almeida
Forum Commoner
Posts: 33
Joined: Tue Apr 01, 2003 4:22 am

Post by Luis Almeida »

I use Sessions and to close the session without close the browser I use the following code :

Code: Select all

<?php
<?
   session_unset(); 
   session_destroy(); 
   $p = session_get_cookie_params(); 
   setcookie( session_name(),  "",   0, $p ["path"], $p["domain"]); 
?>
?>
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: best option : login

Post by timvw »

Think Pink wrote: ...users with shell acces to the web server can scan valid session id's if the default /tmp directory is used to store the session data.
true, that is why you should use [php_man]session_save_path[/php_man]
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

Luis Almeida wrote:I use Sessions and to close the session without close the browser I use the following code :

Code: Select all

<?php
<?
   session_unset(); 
   session_destroy(); 
   $p = session_get_cookie_params(); 
   setcookie( session_name(),  "",   0, $p ["path"], $p["domain"]); 
?>
?>
a few ppl have problems with that, the correct way is:

Code: Select all

<?php
session_start(); 
session_destroy(); 
$_SESSION = array(); 
?>
Post Reply