Advertisement Jump to content
Sign in to follow this  
Uzumakis

Confusion related to Database and PhP

This topic is 1884 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I am developing a simple website and it need user to login to use it but i am facing a problem of assingning a id to the user which is difficult to guess i cant use auto increment function in database because it is easy to guess so how to sort it out securely.

Thanks in advance :)

Share this post


Link to post
Share on other sites
Advertisement

Hmm, what has the ID got to do with it?

 

The basic idea is this:

 

  1. User logs in by entering their credentials
  2. Webpage send credentials to server (using HTTPS)
  3. Server validates credentials against the database (password should be salted and hashed - just compare the hash, but can store the username in the clear).
  4. If successful initiate a session, such as by creating a cookie.
  5. All subsequent pages check for the existence of the session/cookie, if absent see step 1. If present display page.

Share this post


Link to post
Share on other sites

If you already have your login, set a session / cookie. Depends on how long you want the user to keep this explicit "hash / string" whatever you want to call it.

 

If you started a session with

session_start();

already, you have access to the responding session_id

$mySessionId = session_id();

You wrote, you want to assign an id... should it only be numeric?

 

 

Share this post


Link to post
Share on other sites

User IDs can be auto_increment fields. That is just a number used to relate to a particular record. Your login should verify the user's credentails (username and password) and start a session ID, like what DasSaffe mentioned, with the steps dmatter listed. User ID should be for connecting the user to the user's posts or material you store in your database.

Share this post


Link to post
Share on other sites

What is the security risk of making a user ID guessable? The user ID should generally be irrelevant to the client, so simply don't expose it (avoid sending it to the client, even as a "hidden" field or parameter). Where necessary to use, take it from the session.

 

Making user IDs harder to guess doesn't add security, it adds obscurity. Focus on building a secure system first.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!