sKunKbad

if using sessions, unless specified otherwise, the cookie is destroyed when the browser is closed. This may be the best solution.

I think you are going to have to use a combo of php, mysql, and javascript(ajax) to do what you want to do. You should sit down and write out a data flow chart that describes how data will move within the program, and you will probably answer most of your questions as you do it.

If you take a second look at the code I posted in the original post, maybe it is not obvious, but all post vars are getting cleaned by filter_input() and mysqli_real_escape_string() before being inserted into a query. Is this not enough? If more than one row is retrieved in a database result, then $user_is_logged_in = FALSE sleep() may be a good idea, and I will consider this to help protect against brute force md5 is already being used for both the password and the token Thanks for your input. I think it's important to consider everything carefully.

I'm wondering how your project went. I have a customer that wants to use the MLS / IDX feed on their website, and can't much info online.

You don't. If you use a session, then when the user closes their browser, the session cookie is deleted. The cookie will usually hold the user's ID, and a token of some sort. It is common to use a timestamp that is salted and then encrypted for this token. You could also add or use an encrypted user agent string for a token. If you want a good login class or a way to authenticate users, you should search the internet for "php session hijacking", and "php session fixation". You will find a lot of examples of login scripts that do their best to defeat hackers.

I'm working on making the script recognize if it is a user and/or admin logging in, and will try to refine the process of checking status. I've been reading about login security, and hope that what I have done here will be enough. I realize that by having an SSL it would be a lot more secure.

Is this for security? I only liked the way I did it because a user would be where they want to be once logged in.

Yes, it works well. The usage in a page that requires login is like this: require_once LOGIN_STATUS_CHECK ; if (!isset($user_is_logged_in) || $user_is_logged_in == 'false') { // $user_is_logged_in comes from USER_STATUS_CHECK echo "data on this page is only accessible if logged in"; require_once "includes/login_form.inc.php"; }else{ // user content }

So, in all of the stuff I've done with php, I've never tried to write my own login script, and I'm wondering if what I've got is safe or if anyone has any suggestions: // auto strip slashes and escape for db query function clean_for_query($data){ global $db; if(get_magic_quotes_gpc()){ // strip slashes by letting mysql_real_escape_string do the work $data = stripslashes($data); } $data = mysqli_real_escape_string($db , trim($data)); return $data; } // auto clean and extract POST vars foreach($_POST as $post_key => $post_value){ if($post_key == 'email'){ $post_email = filter_input(INPUT_POST, 'email' , FILTER_VALIDATE_EMAIL); }else{ ${"post_$post_key"} = filter_input(INPUT_POST, "$post_key" , FILTER_SANITIZE_STRING); } } $user_is_logged_in = 'false'; $login_error = 0; if(isset($post_submit_login) && $post_submit_login == 'submit'){ if ($post_login_username == FALSE || $post_login_username == NULL || $post_login_password == FALSE || $post_login_password == NULL){ $login_error = 1; $user_is_logged_in = 'false'; } if($login_error != 1){ $clean_login_username = clean_for_query($post_login_username); $clean_login_password = clean_for_query($post_login_password); $super_password = md5(PASSWORD_SALT . $clean_login_password); $a = mysqli_query($db , "SELECT * FROM `users` WHERE username = '$clean_login_username' AND password = '$super_password'"); $b = mysqli_num_rows($a); if($b == 1){ $row = mysqli_fetch_assoc($a); $_SESSION['user_id'] = $row['user_id']; $fingerprint = $row['timestamp']; session_regenerate_id(); $_SESSION['user_token'] = md5($fingerprint . session_id() . $_SERVER['HTTP_USER_AGENT']); $user_is_logged_in = 'true'; }else{ $login_error = 1; $user_is_logged_in = 'false'; } mysqli_free_result($a); } } if(isset($_SESSION['user_id']) && isset($_SESSION['user_token'])){ $clean_user_id = clean_for_query($_SESSION['user_id']); $c = mysqli_query($db , "SELECT * FROM `users` WHERE user_id = '$clean_user_id'"); $d = mysqli_num_rows($c); if($d == 1){ $row = mysqli_fetch_assoc($c); $fingerprint = $row['timestamp']; if($_SESSION['user_token'] = md5($fingerprint . session_id() . $_SERVER['HTTP_USER_AGENT'])){ session_regenerate_id(); $user_is_logged_in = 'true'; }else{ $login_error = 1; $user_is_logged_in = 'false'; } } mysqli_free_result($c); }

Thanks, that was too easy.

I've got a configuration file, and it includes my database connection, but when the configuration file is loaded/included from different directory levels, it fails. So I created a script that is working to include from whatever directory the script happens to be in at the time, but I'm wondering if anyone sees any problem with this, or if anyone has a better solution. I know that if I am on a linux server then the slashes are back-slashes, but I'm not concerned with that so much right now. Is this going to be reliable? define("PATH", dirname($_SERVER['PHP_SELF'])); $slash_count = substr_count(PATH,"/"); // finding where I am compared to root by counting slashes for ( $i=0; $i<$slash_count-1; $i++) { $slashes .= '../'; } require_once $slashes . "db_conn.inc.php";

There are countless tutorials and free code on creating a user authentication system. I've been dealing with the same issue the last day or so. You will probably find some of the best info by searching for "PHP Session Hijacking" or "PHP Session Fixation" on yahoo ( or google ).

mysql has a PASSWORD function that does encrypt, but I could never figure it out. I use md5 with a salt and a token. $salt = 'h$sTbV@45'; $super_password = md5($salt . $clean_login_password); $fingerprint = $row['timestamp']; session_regenerate_id(); $_SESSION['user_id'] = $row['user_id']; $_SESSION['token'] = md5($fingerprint . session_id());

"sometimes i hate php" ... That made me laugh. I imagined someone walking in to a bar full of KKK members and saying, "I hate white people!"

You would have to remove the sha1 from where php checks the password in the database too, or it will never match.

Did you fix it? I don't see anything wrong in IE6 or IE7

Where did you get this? I think you need a basic lesson in php before trying to attempt anything. What you are specifically seeking to do is a basic if statement using else if and else. Try w3schools.com

you should post this in the php help forum.

Just keep in mind that true randomization may include the same text being displayed more than once in succession. Check this out: http://www.phpfreaks.com/forums/index.php/topic,219050.msg1003587.html#msg1003587

instead of session_destroy, you might try unset($_SESSION) or $_SESSION[whatever] = null;

On my site, I have a theme switcher that uses a session cookie. I opened my site in two tabs, switched the theme in one tab, went to the other tab, and that tab used the session cookie from the first tab. I tested in FF2, FF3, Opera 9.27, IE7, and Safari 3.1.1 on Windows. I didn't check my Mac or Linux browsers, but you shouldn't have any problems with those either. Please show your getThisURL() function, and more code if possible. The problem you are having is almost certainly a result of your code, and not the normal behavior of session cookies.

What browser? Having other tabs open shouldn't matter. I use a redirect script that is similar to what you have here, and it isn't affected by tabbed browsers (FF3, FF3, OPERA, IE7)

So, I figured out that you just have to set the CURLOPT_USERAGENT. This works for me: <?php $ch = curl_init(); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17'); curl_setopt($ch, CURLOPT_URL, 'http://iplists.com/nw/google.txt'); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 60); $result = curl_exec($ch); echo "<pre>$result</pre>"; ?> In this case I used Firefox, but you could probably use anything you want.

The external server is telling you that you don't have permission to view/open/access that file. I spoke too soon. I'll see what I can do and get back to you.

Show some code so we can try to figure out what you are doing.