Programming Forums > Web Development and Design > PHP

Arevos · Dec 3rd, 2005, 4:17 AM

Quote:

Originally Posted by Mocker

the webserver has a setting for php which decides to store sessions as cookies only, or as cookies first and get/post as fallback, or just get/post. GET is pretty insecure to have your information in.

Why's it anymore insecure? I suppose someone could look over your shoulder, but remembering all the characters in session ID can't be particularly easy.

krazyshane · Dec 13th, 2005, 11:41 AM

I dont feel like using $_GET variables is secure at all, as anyone with minimal PHP knowledge could change the variable in their URL.

$_POST is a good option, but must be sent via a form, so it sucks (it's only good on the initial log-in.

I've had great success with using $_SESSION variables. To my knowledge, they're not always saved as cookies, but sometimes reside on the server itself (depending on the web-host's settings).

Just use $_SESSION variables for temporary log in -- They last as long as they are still at your website. Once they leave, they are logged out.

And save a more permanent login w/ cookies. Also, wherever you plan on accessing $_SESSION variables, be sure that the first line of code on your page is session_start();

Shane

DaWei · Dec 13th, 2005, 12:04 PM

Quote:

To my knowledge, they're not always saved as cookies, but sometimes reside on the server itself (depending on the web-host's settings).

Your information is somewhat of a mishmash. Some identifier for the session must be sent to and/or returned from the client. That's how one overcomes the basic statelessness of the transaction.

Mocker · Dec 13th, 2005, 1:42 PM

Quote:

Originally Posted by krazyshane

I dont feel like using $_GET variables is secure at all, as anyone with minimal PHP knowledge could change the variable in their URL.

$_POST is a good option, but must be sent via a form, so it sucks (it's only good on the initial log-in.

I've had great success with using $_SESSION variables. To my knowledge, they're not always saved as cookies, but sometimes reside on the server itself (depending on the web-host's settings).

Just use $_SESSION variables for temporary log in -- They last as long as they are still at your website. Once they leave, they are logged out.

And save a more permanent login w/ cookies. Also, wherever you plan on accessing $_SESSION variables, be sure that the first line of code on your page is session_start();

Shane

$_POST is usually used for the login form. If you tried to keep track of someone logged in with it you'd basically have to make hidden form elements with the login info which is a horrible idea for anything secure(anyone could look at the source or tweak the information passed there)

There are basically two ways sessions can work, with GET or with Cookies. They arent really a new type of data, they are just a built in way php can use to handle information like that.

To make it secure you might consider making sure the session has a fast timeout and encrypting any information passed trhough the program.

krazyshane · Dec 13th, 2005, 5:11 PM

Quote:

Originally Posted by DaWei

Your information is somewhat of a mishmash. Some identifier for the session must be sent to and/or returned from the client. That's how one overcomes the basic statelessness of the transaction.

Hmm, i thought that sessions looked at your ipaddress and such? I didnt think that an actual file was saved on the client. I could be wrong though. Thanks for the correction.

Shane

krazyshane · Dec 13th, 2005, 5:13 PM

Just found this off PHP's website

"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "

Seems I was indeed mistaken. $_SESSION variables still i think will do the trick for the original poster. I've used them successfully many-a-time.

Shane

DaWei · Dec 13th, 2005, 5:53 PM

Quote:

I didnt think that an actual file was saved on the client.

A file is only saved if the information is cookie based. Sessions work well; one may also do the same thing, essentially, oneself. There's no magic to the passing of an informative token back and forth.

drifter · Dec 17th, 2005, 10:11 AM

(Toggle Plain Text)

<?php
$sql = "SELECT ID, username, PASSWORD(password) AS 'password', activated FROM User WHERE username = '" .
	$_POST['username'] . "' AND password = PASSWORD('" . $_POST['password'] . "')";
	

$result = mysql_query($sql, $db) or die(mysql_error());
$num = mysql_num_rows($result);



if( $num != 0 )
{
	$row = mysql_fetch_array($result);
	
	if ($row['activated'] == 0)
	{
		echo "Your account has not yet been activated. " . 
			"<a href='index.php?content=resendEmail&id=" . $row['ID'] .
			"'>Click here</a> to resend the activation email";
	}
	else
	{
		/* if( $_POST['remember'] != 0 )
		{
			$cookie_name ="auth";
			$cookie_value ="ok";
			$cookie_expire ="0";
			$cookie_domain ="127.0.0.1";
	
			setcookie($cookie_name, $cookie_value, $cookie_expire, "/", $cookie_domain);
		} */
		
	$_SESSION['loggedIn'] = 1;
	$_SESSION['userID'] = $row['ID'];
	$_SESSION['username'] = $row['username'];
	
	}

	
	
}
else
{
	echo "Login failed, Username or Password was Invalid!";
}

?>

The cookie is commented out, since it wasn't implemented with the code. (Didn't have time with the contraints on the project, which was in school, so no worries there)
Although I think you might have to put a cookie in the top part of your file, usually when you start a session or before it. In this case, it was going to be an optional cookie, based on if the user wanted to be remembered.
Not sure if that would have worked, but this was only to give you an idea.
(And yes, I know the code isn't commented much, thanks) lol

Dec 17th, 2005, 10:11 AM	#18
drifter Programmer Join Date: Jul 2004 Location: Halifax, Nova Scotia Posts: 39 Rep Power: 0	(Toggle Plain Text) <?php $sql = "SELECT ID, username, PASSWORD(password) AS 'password', activated FROM User WHERE username = '" . $_POST['username'] . "' AND password = PASSWORD('" . $_POST['password'] . "')"; $result = mysql_query($sql, $db) or die(mysql_error()); $num = mysql_num_rows($result); if( $num != 0 ) { $row = mysql_fetch_array($result); if ($row['activated'] == 0) { echo "Your account has not yet been activated. " . "<a href='index.php?content=resendEmail&id=" . $row['ID'] . "'>Click here</a> to resend the activation email"; } else { /* if( $_POST['remember'] != 0 ) { $cookie_name ="auth"; $cookie_value ="ok"; $cookie_expire ="0"; $cookie_domain ="127.0.0.1"; setcookie($cookie_name, $cookie_value, $cookie_expire, "/", $cookie_domain); } / $_SESSION['loggedIn'] = 1; $_SESSION['userID'] = $row['ID']; $_SESSION['username'] = $row['username']; } } else { echo "Login failed, Username or Password was Invalid!"; } ?> <?php $sql = "SELECT ID, username, PASSWORD(password) AS 'password', activated FROM User WHERE username = '" . $_POST['username'] . "' AND password = PASSWORD('" . $_POST['password'] . "')"; $result = mysql_query($sql, $db) or die(mysql_error()); $num = mysql_num_rows($result); if( $num != 0 ) { $row = mysql_fetch_array($result); if ($row['activated'] == 0) { echo "Your account has not yet been activated. " . "<a href='index.php?content=resendEmail&id=" . $row['ID'] . "'>Click here</a> to resend the activation email"; } else { / if( $_POST['remember'] != 0 ) { $cookie_name ="auth"; $cookie_value ="ok"; $cookie_expire ="0"; $cookie_domain ="127.0.0.1"; setcookie($cookie_name, $cookie_value, $cookie_expire, "/", $cookie_domain); } */ $_SESSION['loggedIn'] = 1; $_SESSION['userID'] = $row['ID']; $_SESSION['username'] = $row['username']; } } else { echo "Login failed, Username or Password was Invalid!"; } ?> The cookie is commented out, since it wasn't implemented with the code. (Didn't have time with the contraints on the project, which was in school, so no worries there) Although I think you might have to put a cookie in the top part of your file, usually when you start a session or before it. In this case, it was going to be an optional cookie, based on if the user wanted to be remembered. Not sure if that would have worked, but this was only to give you an idea. (And yes, I know the code isn't commented much, thanks) lol __________________ Only two things are infinite, the universe and human stupidity, and im not sure about the former.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Dec 13th, 2005, 11:41 AM	#12
krazyshane Newbie Join Date: Dec 2005 Posts: 7 Rep Power: 0	I dont feel like using $_GET variables is secure at all, as anyone with minimal PHP knowledge could change the variable in their URL. $_POST is a good option, but must be sent via a form, so it sucks (it's only good on the initial log-in. I've had great success with using $_SESSION variables. To my knowledge, they're not always saved as cookies, but sometimes reside on the server itself (depending on the web-host's settings). Just use $_SESSION variables for temporary log in -- They last as long as they are still at your website. Once they leave, they are logged out. And save a more permanent login w/ cookies. Also, wherever you plan on accessing $_SESSION variables, be sure that the first line of code on your page is session_start(); Shane

Dec 13th, 2005, 5:13 PM	#16
krazyshane Newbie Join Date: Dec 2005 Posts: 7 Rep Power: 0	Just found this off PHP's website "A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. " Seems I was indeed mistaken. $_SESSION variables still i think will do the trick for the original poster. I've used them successfully many-a-time. Shane

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Programming Forums > Web Development and Design > PHP

Php Login System