TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   My login method? (http://www.talkphp.com/general/1496-my-login-method.html)

MartynMJ 11-18-2007 08:45 PM
My login method?
 
I've never "Learnt" how to make a login script just sort of assumed how to do it so i was wondering if my way was bad lol, here's a description.

Username and password stored in database (password md5'ed).

When the user attempts to login then it will check the database to see if the info matches.

If all is well at this point then in a sessions table it will insert the username, a random code and there IP address.

Then a cookie is set with a base64 encoded serialized array, in the array is the id of the session in the database, username and random code.

Then if they try to view a members page it will check that the info from the cookie and the users ip address matches that in the database.

Is this bad ? lol

Make sense? :)

EyeDentify 11-22-2007 10:52 AM
Im no expert, but one should be a little carefull with trusting that the IP stays the same at all times.

I would not rely on that.

And the IP could be the Same for a multitude of users if there from the same ISP for example.

Anyone else ?

MartynMJ 11-22-2007 12:45 PM
Quote:
Originally Posted by EyeDentify (Post 4487)
Im no expert, but one should be a little carefull with trusting that the IP stays the same at all times.

I would not rely on that.

And the IP could be the Same for a multitude of users if there from the same ISP for example.

Anyone else ?
Yes i know that relying on an IP address wouldn't really do but no only does the IP address have to be the same but the ID of the user session, the username and the random code which is encoded has to match the database record so i figured it would be extremely hard for a hacker to get a row inserted into the database with there random code and so on?

Wildhoney 11-22-2007 02:10 PM
Trouble is with the IP address is that some ISPs, such as AOL, their IP changes on every page request and so any end-user on your website using AOL, or other ISP that go down the same route with their IPs, would be required to login in every single time.

Moreover, for your passwords you'll no doubt be wanting to apply a salt to them and then MD5ing them together.

http://www.talkphp.com/showthread.php?t=1188
http://www.talkphp.com/showthread.php?t=1162

MartynMJ 11-23-2007 10:33 AM
Quote:
Originally Posted by Wildhoney (Post 4489)
Trouble is with the IP address is that some ISPs, such as AOL, their IP changes on every page request and so any end-user on your website using AOL, or other ISP that go down the same route with their IPs, would be required to login in every single time.

Moreover, for your passwords you'll no doubt be wanting to apply a salt to them and then MD5ing them together.

http://www.talkphp.com/showthread.php?t=1188
http://www.talkphp.com/showthread.php?t=1162
I have been using a salt on the passwords :).

Does any one have a link to a tutorial where they have a good method for user sessions?

thegrayman 01-01-2008 07:36 AM
What I was thinking about was setting multiple cookies, one with session id and other info serialized as well as another setting a value that is updated in the db everytime the user changes pages. I plan to check to see if cookies can be set, if not then sending them to a page explaining that you need to have cookies turned on to use this site sort of thing. Obviously when someone logs in regenerate their session id at time as well.


All times are GMT. The time now is 05:51 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0