Need expert advice about production environment, security, and session
New to PHP and I am building Login system, this is the way I think, database handling part not integrate yet,
HTML form calls login.php, by using userMan.php I decided to Authenticate the user and manage the session. To logout I use endUserSession() function, to go ahead from this point, need some comments to carry on the work. Thanks in advance
Login.php
<?php
require_once("userManage.php");
$userID=$_POST['userID'];
$password=$_POST['password'];
$a=new userMan();
if ($a->auth($userID,$password)) {
$a->startUserSession($userID);
header("location:loginsuccess.php");
} else {
print "Invalid";
}
?>
userManage.php
class UserMan {
function auth($pUserID,$pPassword) {
if ($pUserID==$pPassword) {
// database part here / As test purpose when user id and password are equal allow logging
return true;
} else {
return false;
}
} // auth()
function isSession () {
if(isset($_SESSION['userID'])) {
return true;
} else {
return false;
}
} // isSession ()
function startUserSession ($pUserID) {
session_start();
$_SESSION["userID"]=$pUserID;
} //startUserSession
function endUserSession() {
session_start();
if(isset($_SESSION['userID']))unset($_SESSION['userID']);
session_destroy();
header("location:loggedOut.html");
} // endUserSession()
} //class UserMan
Need expert advice about production environment, security, a
Moderator: General Moderators
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Need expert advice about production environment, security, a
Is this supposed to be psuedo code?
In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?
Never store usernames or passwords in a session variable. Store a user index from the database.
Always terminate your script after calling a redirect.
Why dont you start your session at the start of each page?
In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?
Never store usernames or passwords in a session variable. Store a user index from the database.
Always terminate your script after calling a redirect.
Why dont you start your session at the start of each page?
Re: Need expert advice about production environment, security, a
flying_circus wrote:Is this supposed to be psuedo code?
In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?
Never store usernames or passwords in a session variable. Store a user index from the database.
Always terminate your script after calling a redirect.
Why dont you start your session at the start of each page?
Need expert advice about production environment, security, and session
Is this supposed to be psuedo code?
Yes this is like pseudo code.
In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?
As a test purpose I wrote to allow logging when the username and password match each other
Never store usernames or passwords in a session variable. Store a user index from the database.
Ok thanks, I will not store username and password in session,
Always terminate your script after calling a redirect.
Couldn’t get the idea what you mentioned “Always terminate your script after calling a redirect.”
Why dont you start your session at the start of each page?
I hope to start session in every page, and in the function startUserSession ($pUserID) also starts the session,
welcome your guidance
viewtopic.php?f=34&t=111364
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Need expert advice about production environment, security, a
Wouldn't it be wiser to show us your production code rather than the "test" code?
Usually, when you send the location header, it's clever to terminate the execution:
The header() call will do nothing more than just send an HTTP header. It will not stop your script from executing. Your script will still continue its execution and sometimes this can be a bad thing.leulae wrote:Couldn’t get the idea what you mentioned “Always terminate your script after calling a redirect.”
Usually, when you send the location header, it's clever to terminate the execution:
Code: Select all
header('Location: index.php');
exit();