I can't find anything to help me with this:
I have a database with the usernames and passwords in it, and I have them 'encrypted', using mcrypt_encrypt more than once to encrypt the users' password. I know how to get this data back to the raw password, but what I want to do is make it so that when the user logins in a session is set with the username and pw (encrypted version) is in their with another variable of loggin == 1 if their logged in. I also want to make it so that if the users selects stay logged in they do just that. I have the login page on http://www.URL.com/Login/, and I want the session and cookies to be for the WHOLE website: http://www.URL.com/. I just can't get anything to work. So some examples of codes, and stuff to read could REALLY HELP. This is day 12 on PHP, so yeah I really don't know a lot, but I am learning.... I want to get my website done by the end of this summer, so I can be done with it.
THANKS FOR ALL OF THE HELP IN ADVANCE.....
CHRIS!!!!
LOGIN - Stay Logged-in -- Session Cookies -- Sessions
Moderator: General Moderators
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
Essentially, you check the $_SESSION['username'] and $_SESSION['logged_in'] values on each script, make certain they're set, and that's usually enough to validate. You could run a call to the database each page request, but I haven't found that necessary. I don't store the password, hashed or otherwise, in a session or cookie variable. I use a single call to the database with username and password to validate the user on each login, then store and check the $_SESSION values. Another method aside from a 'logged_in' value, is to hash the user's current IP address. It can't change during the session; if it does, the session has theoretically been hijacked. (I should mention, if someone has the ability and know-how to hijack your session, they may be able to spoof the IP address, but is somebody really going to go to all this length?)
(untested pseudocode)
You want to perform this same set of checks per every script you allow the user access to. You can see how setting another value such as 'user_auth_level' could allow you to have admins or moderators view the site in a slightly different manner than regular users. This is pretty basic, please don't take it to be the best security model.
If you have to have a validation process by database call on every script, you might consider using a different value than the actual password, like a temporary hashed session value stored in a seperate table, maybe called 'current_logins'. There's a good tutorial on the site by Maugrim entitled 'Challenge/Response secure login process' that should give you some ideas on how to implement this.
(untested pseudocode)
Code: Select all
// index.php
// got to start the session, of course!
session_start();
// assign the hashed IP addr
$hashedIP= md5($_SERVER['REMOTE_ADDR']);
// check the user's values
if ( !isset($_SESSION['username']) && !isset($_SESSION['hashedIP']) ) {
// user hasn't logged in at all, redirect to login
header("Location: login.php");
} elseif ( $_SESSION['hashedIP'] !== $hashedIP ) {
// potential security issue, force the user to logout
header("Location: logout.php");
} else {
// allow the user in
}If you have to have a validation process by database call on every script, you might consider using a different value than the actual password, like a temporary hashed session value stored in a seperate table, maybe called 'current_logins'. There's a good tutorial on the site by Maugrim entitled 'Challenge/Response secure login process' that should give you some ideas on how to implement this.
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
Can anyone answer my question? Like the one I posted on: viewtopic.php?t=49862