Sign in to follow this  
CProgrammer

member login

Recommended Posts

I want to make a member login system in php for my website. The most intuitive way would be to just check the information and if it is correct jump to a new site. Obviously this isnt very secure since someone who finds out the link to the new site can surpass the login screen. How can I make a session like system, a more secure system? -CProgrammer

Share this post


Link to post
Share on other sites
This is what I am doing for the new admin panel of my site(It's not live yet).

Show login screen when the user isn't logged in. When the user submits his username/password, I check them against the database. When the result is OK, I save the user's UID and UNAME in a session.

For each page that gets opened in the admin panel, I check the session for a valid UID/UName. When the session dies, the user will be forwarded to the login page again.

Before executing any pages, such as posting, saving or updating data, I check the session data aswell.

Toolmaker

Share this post


Link to post
Share on other sites
The easiest way is to generate a large random number on the server, that's not known to clients.

Then, when the client logs in, you verify name and password against a table of names and passwords. If true, you mint a "session token". The session token contains:

Login time
User name
md5_hash(Random number + Login time + User name)

Put this in a cooke.

Whenever the user comes back, you first look for this cookie. If it's found, extract the three parts (login time, user name, and hash). Then re-compute the hash, using the login time and user name from the token, and random number from your server secret place. If the hash matches, you know they didn't forge it (because MD5 is cryptographically hard to break), and you can trust the login time and user name supplied.

Thus, you don't need to hit the database other than when they first log in. All authentication after that is done using a server-secret random number, and MD5 on the user name and login time. The cool thing about this is that if you load balance between different web servers, they can all share the same server secret random number, and thus accept tokens from each other, so it's stateless, too!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this