Page 1 of 1

Need expert advice about production environment, security, a

Posted: Mon Jan 11, 2010 10:30 pm
by leulae
Need expert advice about production environment, security, and session

New to PHP and I am building Login system, this is the way I think, database handling part not integrate yet,

HTML form calls login.php, by using userMan.php I decided to Authenticate the user and manage the session. To logout I use endUserSession() function, to go ahead from this point, need some comments to carry on the work. Thanks in advance


Login.php
<?php
require_once("userManage.php");

$userID=$_POST['userID'];
$password=$_POST['password'];

$a=new userMan();

if ($a->auth($userID,$password)) {
$a->startUserSession($userID);
header("location:loginsuccess.php");
} else {
print "Invalid";
}

?>

userManage.php
class UserMan {

function auth($pUserID,$pPassword) {

if ($pUserID==$pPassword) {
// database part here / As test purpose when user id and password are equal allow logging
return true;
} else {
return false;
}
} // auth()


function isSession () {
if(isset($_SESSION['userID'])) {
return true;
} else {
return false;
}
} // isSession ()

function startUserSession ($pUserID) {
session_start();
$_SESSION["userID"]=$pUserID;
} //startUserSession


function endUserSession() {
session_start();
if(isset($_SESSION['userID']))unset($_SESSION['userID']);
session_destroy();
header("location:loggedOut.html");
} // endUserSession()

} //class UserMan

Re: Need expert advice about production environment, security, a

Posted: Tue Jan 12, 2010 12:46 pm
by flying_circus
Is this supposed to be psuedo code?

In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?

Never store usernames or passwords in a session variable. Store a user index from the database.

Always terminate your script after calling a redirect.

Why dont you start your session at the start of each page?

Re: Need expert advice about production environment, security, a

Posted: Wed Jan 13, 2010 3:21 am
by leulae
flying_circus wrote:Is this supposed to be psuedo code?

In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?

Never store usernames or passwords in a session variable. Store a user index from the database.

Always terminate your script after calling a redirect.

Why dont you start your session at the start of each page?

Need expert advice about production environment, security, and session

Is this supposed to be psuedo code?
Yes this is like pseudo code.

In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?
As a test purpose I wrote to allow logging when the username and password match each other



Never store usernames or passwords in a session variable. Store a user index from the database.
Ok thanks, I will not store username and password in session,

Always terminate your script after calling a redirect.
Couldn’t get the idea what you mentioned “Always terminate your script after calling a redirect.”

Why dont you start your session at the start of each page?
I hope to start session in every page, and in the function startUserSession ($pUserID) also starts the session,
welcome your guidance
viewtopic.php?f=34&t=111364

Re: Need expert advice about production environment, security, a

Posted: Wed Jan 13, 2010 8:42 am
by kaisellgren
Wouldn't it be wiser to show us your production code rather than the "test" code?
leulae wrote:Couldn’t get the idea what you mentioned “Always terminate your script after calling a redirect.”
The header() call will do nothing more than just send an HTTP header. It will not stop your script from executing. Your script will still continue its execution and sometimes this can be a bad thing.

Usually, when you send the location header, it's clever to terminate the execution:

Code: Select all

header('Location: index.php');
exit();