Results 1 to 4 of 4

Thread: Logins, Portals, and Security! oh My!

  1. Dec 29th, 2005, 12:12 PM #1
    Kasracer
    Kasracer is offline

    Thread Starter
    KrisSiegel.com Kasracer's Avatar
    Join Date
    Jul 2003
    Location
    USA, Maryland
    Posts
    4,985

    Logins, Portals, and Security! oh My!

    I am looking to develop a web application that will have the user login and, once logged in, gives the user access to different website components.

    Now I know how to do a lot of this. My real problem is, I have never done logging so I am unsure what the best, and most secure way is to go about doing so.

    Would I just use sessions, store the username and passwor din the sessions and authenticate on every page? That doens't sound like the best way but I am unsure how to do it any other way.

    Also, I don't know what kind of encryption to use for storing the passwords in a MySQL database.
    KrisSiegel.com - My Personal Website with my blog and portfolio
    Don't Forget to Rate Posts!

    Free Icons: FamFamFam, VBCorner, VBAccelerator
    Useful Links: System.Security.SecureString Managed DPAPI Overview Part 1 Managed DPAPI Overview Part 2 MSDN, MSDN2, Comparing the Timer Classes
    Reply With Quote Reply With Quote
  2. Dec 29th, 2005, 12:50 PM #2
    k1ll3rdr4g0n
    k1ll3rdr4g0n is offline
    Fanatic Member
    Join Date
    Oct 2004
    Posts
    751

    Re: Logins, Portals, and Security! oh My!

    In login.php you ask for the credintals if they are correct store in $_SESSIONS and use that to valiadate for every other page. You can check the credintals in login.php by using $_POST, then like I said store them in $_SESSION (or you could even use cookies ($_COOKIES)...) to 'remember' that user.

    The best thing to store passwords in MySQL is MD5 (although its not an encryption, its a hashing algorithm. But even vBulletin uses it, and even phpBB!.)
    My Projects: [ Instant Messagener Client/Server ] [ VBPictochat ]

    My Sites:
    [ Datanethost ]
    [ Helpdesk ]

    Remember if my post was helpful then Rate This Post.
    Reply With Quote Reply With Quote
  3. Dec 29th, 2005, 01:37 PM #3
    visualAd
    visualAd is offline
    VBA Nutter visualAd's Avatar
    Join Date
    Apr 2002
    Location
    Ickenham, UK
    Posts
    4,906

    Re: Logins, Portals, and Security! oh My!

    With regards to the logic, have a look at this. Replace the cookie with a session and you'll see that once authenticated, you do not need to reauthenticate on each request.

    PHP || MySql || Apache || Get Firefox || OpenOffice.org || Click || Slap ILMV || 1337 c0d || GotoMyPc For FREE! Part 1, Part 2

    | PHP Session --> Database Handler * Custom Error Handler * Installing PHP * HTML Form Handler * PHP 5 OOP * Using XML * Ajax * Xslt | VB6 Winsock - HTTP POST / GET * Winsock - HTTP File Upload

    Latest quote: crptcblade - VB6 executables can't be decompiled, only disassembled. And the disassembled code is even less useful than I am.

    Random VisualAd: Blog - Latest Post: When the Internet becomes Electricity!!

    Spread happiness and joy. Rate good posts.
    Reply With Quote Reply With Quote
  4. Dec 29th, 2005, 01:38 PM #4
    CornedBee
    CornedBee is offline
    Kitten CornedBee's Avatar
    Join Date
    Aug 2001
    Location
    In a microchip!
    Posts
    11,594

    Re: Logins, Portals, and Security! oh My!

    Actually, storing the user ID in the session is sufficient, once you have validated the credentials. This saves you a bit of time.

    In general, log-ins (not logging, that's generating log files) can be divided into two parts: authentication and authorization.

    Authentication is making sure that a visitor really is who he claims to be, i.e. verifying a username and password.
    Based on authentication, the second step is authorization: deciding what the user is allowed to do. There are various ways to go about it: role-based authorization (each user has a role, deciding what he may do - this board software largely uses this approach), individual authorization (permissions are stored per user - e.g. moderators for specific forums here), and a few others.

    For complex authorization tasks, here's a good library:
    http://phpgacl.sourceforge.net/
    All the buzzt
    CornedBee

    "Writing specifications is like writing a novel. Writing code is like writing poetry."
    - Anonymous, published by Raymond Chen

    Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width