Highly secure login system
 

Hey guys,

I've been on a login system for the last couple of days. Well, perhaps 'a' is not correct. If I sum them up, I've made about 5 login systems. The second better than the first. Later on using commands like mysql_real_escape_string(), setcookie, get_magic_quotes(), sprintf/printf and others.

Now, my question lies kinda with the whole idea; what is a good order to initiate a login.

We've got a couple of things;

1. We want to login using a form which is enabled on a page with a bunch of other information. Like a CMS. Similar to this page, the Account Information block pops out.
2. We want to make sure that groups and users have access to these pages. Groups and users can have different rights on each page. A NEW member perhaps can't post reactions, although a user which is registered over 5 days can. Also, only for families (or relatives), it's allowed to view some personal information. Similar to a blog of some kind. I can imagine that it's nobodies business to know how long you've been married or what ever.
3. We want to check for every page (if restricted to members (by user or group)) if the person has access or not. Else, displaying a kind error and then redirecting them with meta tags (since header isn't possible after an output, also not with an delay) to a login form.
4. I want to make the user able to receive administrator rights. So this means, 1 user to rule them all. A main account, linked (perhaps) to an admin designated account.

So, we have a few standards that we're going to be following.
The only problem for me is, what order? Which pages? How many pages? Setting cookies on which page? Checking them? If valid AND linked to a user, create a session non the less. ('remember me (for # days/months/years)')

What is the BEST way to do this? :) I can't figure it out on your own so you PHP Guru's gimme some advice please! Even classes could come in handy but remember, not everyone has PHP 5.2.5 + yet. :) I've got 5.2.5 on my PC and 4.4.7 on my server. :) So no difficult and incompatible classes & functions. :)

Thanks guys!

I would advise an upgrade to php5, classes are needed for any large system.

Here is how I create my login systems. I set two cookies, one is the users ID and the other is their encrypted password. Then I have a function in the header file (if I cant use classes) to authenticate the user by matching the ID and password in the database. If the two match, the user is legit. If confirmed I then take the users rank and other info if needed from the database.

I would give you the code I use, but it needs php5 due to its oop features.

Still some people prefer PHP versions below 5 and some do not think upgrading is wise. I am selling my system for PHP 4 and up, since the market gets a lot bigger that way. Although I advise them to use PHP 5+. The mere fact is, some people/hosts do not wish to upgrade it.

Next to that, is doesn't accept things like 'public' and 'restricted' functions within the class (designated to a var if I am not mistaken). But still you can use classes. I am using a very large SQL class for all of my queries and sorts.

You've given me a bit of insight on this and for that, thanks a lot Village Idiot. :) Hopefully people like Karl, Salathe and Wildhoney will reply as well (read a couple of their articles). Of course the rest, even the less experienced (if there are some :-P) are invited to reply with constructive advise and criticism.

Thanks you guys!

The class i have to handle these things also needs php5. But you migth want to take a look at PHPuserClass, its nice. I learned a lot about the subject by looking at the source code of that class ( plus reading the nice articles of this site ;-) ). It don't seem restricted to php5, however im not sure how well this will work on php4.

I see. But not having decent OOP will take a massive hit on the quality of the code. I don't offer php4 coding services, I've seen no business hit from doing so.

Var is only in PHP5 for backwards compatibility, it is a clone of public. Classes are almost useless without the advanced features php5 brings. The other two permission levels are protected and private, which are both part of php5. I have a tutorial on OOP in PHP5 here.

Always glad to help.

Thanks for the help Village Idiot! This is surely a big help. I agree with you on the whole PHP 5 fact but still, a lot of people don't. I have never gotten into OOP yet since I also script alot for PHP 4 and up. Non the less, I am going to try out that tutorial of yours and if I need feedback on my login system, I will post it right away!

Much appreciated!

I'd think you would be surprised how many people are switching especially as they released PHP4's end of life.