Logins, Portals, and Security! oh My!

Printable View

Dec 29th, 2005, 12:12 PM
Kasracer

Logins, Portals, and Security! oh My!

I am looking to develop a web application that will have the user login and, once logged in, gives the user access to different website components.

Now I know how to do a lot of this. My real problem is, I have never done logging so I am unsure what the best, and most secure way is to go about doing so.

Would I just use sessions, store the username and passwor din the sessions and authenticate on every page? That doens't sound like the best way but I am unsure how to do it any other way.

Also, I don't know what kind of encryption to use for storing the passwords in a MySQL database.
Dec 29th, 2005, 12:50 PM
k1ll3rdr4g0n

Re: Logins, Portals, and Security! oh My!

In login.php you ask for the credintals if they are correct store in $_SESSIONS and use that to valiadate for every other page. You can check the credintals in login.php by using $_POST, then like I said store them in $_SESSION (or you could even use cookies ($_COOKIES)...) to 'remember' that user.

The best thing to store passwords in MySQL is MD5 (although its not an encryption, its a hashing algorithm. But even vBulletin uses it, and even phpBB!.)
Dec 29th, 2005, 01:37 PM
visualAd

Re: Logins, Portals, and Security! oh My!

With regards to the logic, have a look at this. Replace the cookie with a session and you'll see that once authenticated, you do not need to reauthenticate on each request.

http://www.vbforums.com/attachment.p...chmentid=35352
Dec 29th, 2005, 01:38 PM
CornedBee

Re: Logins, Portals, and Security! oh My!

Actually, storing the user ID in the session is sufficient, once you have validated the credentials. This saves you a bit of time.

In general, log-ins (not logging, that's generating log files) can be divided into two parts: authentication and authorization.

Authentication is making sure that a visitor really is who he claims to be, i.e. verifying a username and password.
Based on authentication, the second step is authorization: deciding what the user is allowed to do. There are various ways to go about it: role-based authorization (each user has a role, deciding what he may do - this board software largely uses this approach), individual authorization (permissions are stored per user - e.g. moderators for specific forums here), and a few others.

For complex authorization tasks, here's a good library:
http://phpgacl.sourceforge.net/