Hi. I've been a PHP developer since it first came out. I retired in 2003, all the dot com startups I worked for were good to me . But now I'd like to make a website for fun.... something like mobsters on myspace and a few other apps combined. Glad to see PHP is up to 5.2+. I think it will also be good for me to update myself on PHP. I need to build a login system first and I got a few questions. I've never worked with doing secure stuff, but at least I know where to start. 1) How should I store the authentication information after they login? Cookies, sessions? 2) Do I need to check their login for every action they do? Thanks in advance, it's nice to see that the developer community has grown so much. When I first got started, there wasn't anyone around.
Sessions use cookies by default, unless you specifically set otherwise then you need to propagate the session ID via the URL. To answer your questions, you should use both of them. Not really. When they login, you might want to give them the option to "keep me loged in" for a certain time, to which you will delete the user session afterwards. Peace,
Also, following on from azizny - make sure you encrypt the login details. It depends how encrypted you need this to be, but it's always worth learning good encryption methods. Research "Salt Password Encryption" on google. Just a tip
Here is my two cents... 1. Protect against sql injection attacks. 2. Encrypt password in DB. I like to use MySQL AES. 3. You may want to check the password to assure it is a complex password, depends on what you are protecting. 4. Session variables are an easy way to handle the authenticated session.
You want to read this: php.net/sessions and php.net/md5 for making a fingerprint of the password instead of storing the actual password.
In regards to checking their login, how can I make sure who they say they are as they go from page to page if I don't check their username/password for everything they do?
I usually check user login details in every page. Basically there's one function which goes like this: 1) if (login form data passed to page) { check if login is valid, create session variables } 2) else if (user session variables exist) { check if login is valid } 3) else {user is not logged in } $_SESSION['password'] is ussually encoded with md5() and so is user_password column in database.
sometimes people ask questions like to see how you will respond , sometimes you might give examples. Doing so may give them insight into how you have done your own websites..in case they want to try to get into them.
Well - theoretically, it shouldn't matter if someone does find out how to code it correctly? If the code has been written well in the first place, then it should not make a difference if you know how it's coded? If you don't know the original encrypted password, then it won't help a lot if you know how it's been coded - and if you've salted the password, you could be a lifetime working out the password.
right ..but an old trick is to asl questions in chat rooms, and most of the times people will give examples of how they write code, and if there's anything there to exploit ..they would do it . UGLYSOB ..no Im not saying youre a hacker, I wouldve said that if i was saying you were, i was saying what i meant to say