Page 1 of 1
best option : login
Posted: Sun Sep 05, 2004 8:51 pm
by Think Pink
hy.
i have to make an admin page with a login form on it. after the admin logs in he then can update the site content.
i'm not shure what to use. I read a lot about this and now i'm completly scared of login pages.
I can choose between :
1. HTTP Authentification
2. PEAR:: Auth
3. $_SESSION
4. $_COOKIE
What do you recomand?
I mean, what would be your options or what you usually use?
Thx
Posted: Sun Sep 05, 2004 9:27 pm
by d3ad1ysp0rk
I usually use $_SESSIONs, and $_COOKIEs if they require to "Stay logged in".
title
Posted: Mon Sep 06, 2004 12:37 am
by John Cartwright
I recommend sessions while the user is logged on, and then back up it up with a cookie so they can stay logged in even when the browser is closed
Sessions
Posted: Mon Sep 06, 2004 5:31 am
by wasabi
I use session. Once you have one written the rest is history. If you want my code just message me.
Posted: Mon Sep 06, 2004 5:53 am
by timvw
Options to keep track of authenticated user:
- http authentication (do all browsers support this?) has the nasty limitation that it's impossible to logout without closing the browser window (afaik)
- cookies can be painfull if the user doesn't accept them
- sessions are what i prefer
To validate the users (and lookup their permissions) i use my own interface with methods:
- login ($credentials);
- logout ();
- isAllowed();
- getAllowedScripts();
- getAllowedProperties($script);
best option : login
Posted: Mon Sep 06, 2004 7:21 am
by Think Pink
thx guys.
I know how to create the script, but I didn't know what should use.
So far I used SESSIONS, but I read an article "how to create a secure PHP login script" don't remember where or who wrote it (sorry) and it said this.
...users with shell acces to the web server can scan valid session id's if the default /tmp directory is used to store the session data.
Somebody who has a site (on a shared host with you) can generate valid session for your site.
Posted: Mon Sep 06, 2004 7:38 am
by Sema
If you trust the server you are on, then theres no problem there.
Posted: Mon Sep 06, 2004 8:10 am
by Luis Almeida
I use Sessions and to
close the session without close the browser I use the following code :
Code: Select all
<?php
<?
session_unset();
session_destroy();
$p = session_get_cookie_params();
setcookie( session_name(), "", 0, $p ["path"], $p["domain"]);
?>
?>
Re: best option : login
Posted: Mon Sep 06, 2004 8:16 am
by timvw
Think Pink wrote:
...users with shell acces to the web server can scan valid session id's if the default /tmp directory is used to store the session data.
true, that is why you should use [php_man]session_save_path[/php_man]
Posted: Mon Sep 06, 2004 12:03 pm
by tim
Luis Almeida wrote:I use Sessions and to
close the session without close the browser I use the following code :
Code: Select all
<?php
<?
session_unset();
session_destroy();
$p = session_get_cookie_params();
setcookie( session_name(), "", 0, $p ["path"], $p["domain"]);
?>
?>
a few ppl have problems with that, the correct way is:
Code: Select all
<?php
session_start();
session_destroy();
$_SESSION = array();
?>