best option : login
Moderator: General Moderators
- Think Pink
- Forum Contributor
- Posts: 106
- Joined: Mon Aug 02, 2004 3:29 pm
best option : login
hy.
i have to make an admin page with a login form on it. after the admin logs in he then can update the site content.
i'm not shure what to use. I read a lot about this and now i'm completly scared of login pages.
I can choose between :
1. HTTP Authentification
2. PEAR:: Auth
3. $_SESSION
4. $_COOKIE
What do you recomand?
I mean, what would be your options or what you usually use?
Thx
i have to make an admin page with a login form on it. after the admin logs in he then can update the site content.
i'm not shure what to use. I read a lot about this and now i'm completly scared of login pages.
I can choose between :
1. HTTP Authentification
2. PEAR:: Auth
3. $_SESSION
4. $_COOKIE
What do you recomand?
I mean, what would be your options or what you usually use?
Thx
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
title
I recommend sessions while the user is logged on, and then back up it up with a cookie so they can stay logged in even when the browser is closed
Options to keep track of authenticated user:
- http authentication (do all browsers support this?) has the nasty limitation that it's impossible to logout without closing the browser window (afaik)
- cookies can be painfull if the user doesn't accept them
- sessions are what i prefer
To validate the users (and lookup their permissions) i use my own interface with methods:
- login ($credentials);
- logout ();
- isAllowed();
- getAllowedScripts();
- getAllowedProperties($script);
- http authentication (do all browsers support this?) has the nasty limitation that it's impossible to logout without closing the browser window (afaik)
- cookies can be painfull if the user doesn't accept them
- sessions are what i prefer
To validate the users (and lookup their permissions) i use my own interface with methods:
- login ($credentials);
- logout ();
- isAllowed();
- getAllowedScripts();
- getAllowedProperties($script);
Last edited by timvw on Mon Sep 06, 2004 8:18 am, edited 1 time in total.
- Think Pink
- Forum Contributor
- Posts: 106
- Joined: Mon Aug 02, 2004 3:29 pm
best option : login
thx guys.
I know how to create the script, but I didn't know what should use.
So far I used SESSIONS, but I read an article "how to create a secure PHP login script" don't remember where or who wrote it (sorry) and it said this.
I know how to create the script, but I didn't know what should use.
So far I used SESSIONS, but I read an article "how to create a secure PHP login script" don't remember where or who wrote it (sorry) and it said this.
...users with shell acces to the web server can scan valid session id's if the default /tmp directory is used to store the session data.
Somebody who has a site (on a shared host with you) can generate valid session for your site.
- Luis Almeida
- Forum Commoner
- Posts: 33
- Joined: Tue Apr 01, 2003 4:22 am
I use Sessions and to close the session without close the browser I use the following code :
Code: Select all
<?php
<?
session_unset();
session_destroy();
$p = session_get_cookie_params();
setcookie( session_name(), "", 0, $p ["path"], $p["domain"]);
?>
?>Re: best option : login
true, that is why you should use [php_man]session_save_path[/php_man]Think Pink wrote: ...users with shell acces to the web server can scan valid session id's if the default /tmp directory is used to store the session data.
a few ppl have problems with that, the correct way is:Luis Almeida wrote:I use Sessions and to close the session without close the browser I use the following code :
Code: Select all
<?php <? session_unset(); session_destroy(); $p = session_get_cookie_params(); setcookie( session_name(), "", 0, $p ["path"], $p["domain"]); ?> ?>
Code: Select all
<?php
session_start();
session_destroy();
$_SESSION = array();
?>