member login
I want to make a member login system in php for my website.
The most intuitive way would be to just check the information and if it is correct jump to a new site. Obviously this isnt very secure since someone who finds out the link to the new site can surpass the login screen. How can I make a session like system, a more secure system?
-CProgrammer
Thats an option but im looking for a system similar to gamedev's or hotmail's ...
-CProgrammer
-CProgrammer
This is what I am doing for the new admin panel of my site(It's not live yet).
Show login screen when the user isn't logged in. When the user submits his username/password, I check them against the database. When the result is OK, I save the user's UID and UNAME in a session.
For each page that gets opened in the admin panel, I check the session for a valid UID/UName. When the session dies, the user will be forwarded to the login page again.
Before executing any pages, such as posting, saving or updating data, I check the session data aswell.
Toolmaker
Show login screen when the user isn't logged in. When the user submits his username/password, I check them against the database. When the result is OK, I save the user's UID and UNAME in a session.
For each page that gets opened in the admin panel, I check the session for a valid UID/UName. When the session dies, the user will be forwarded to the login page again.
Before executing any pages, such as posting, saving or updating data, I check the session data aswell.
Toolmaker
The easiest way is to generate a large random number on the server, that's not known to clients.
Then, when the client logs in, you verify name and password against a table of names and passwords. If true, you mint a "session token". The session token contains:
Login time
User name
md5_hash(Random number + Login time + User name)
Put this in a cooke.
Whenever the user comes back, you first look for this cookie. If it's found, extract the three parts (login time, user name, and hash). Then re-compute the hash, using the login time and user name from the token, and random number from your server secret place. If the hash matches, you know they didn't forge it (because MD5 is cryptographically hard to break), and you can trust the login time and user name supplied.
Thus, you don't need to hit the database other than when they first log in. All authentication after that is done using a server-secret random number, and MD5 on the user name and login time. The cool thing about this is that if you load balance between different web servers, they can all share the same server secret random number, and thus accept tokens from each other, so it's stateless, too!
Then, when the client logs in, you verify name and password against a table of names and passwords. If true, you mint a "session token". The session token contains:
Login time
User name
md5_hash(Random number + Login time + User name)
Put this in a cooke.
Whenever the user comes back, you first look for this cookie. If it's found, extract the three parts (login time, user name, and hash). Then re-compute the hash, using the login time and user name from the token, and random number from your server secret place. If the hash matches, you know they didn't forge it (because MD5 is cryptographically hard to break), and you can trust the login time and user name supplied.
Thus, you don't need to hit the database other than when they first log in. All authentication after that is done using a server-secret random number, and MD5 on the user name and login time. The cool thing about this is that if you load balance between different web servers, they can all share the same server secret random number, and thus accept tokens from each other, so it's stateless, too!
Most PHP installations use sessions by default. Check the PHP site for more information on them.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement