best way for login?

arbitter · May 23, 2010

I've looked around everywhere but can't really find what I need. I've also tried multiple methods, but apparantly the one I'm using now is no good.

I just want a good, working and safe login method. One with the option to 'keep me logged in'.

I used to work with cookies, but they said it wasn't safe. So I started using sessions, but apparantly that doesn't work at all :/

Can someone please tell me specifically what to put in sessions, and what in cookies? And all the variables that need to be stored when the user logs in.

I'd appreciate it very much! Thanks

ignace · May 23, 2010

session_set_cookie_params(3600);
session_start();

session_set_cookie_params must be called before session_start.

phant0m · May 23, 2010

cookies will remain on the users computer, for the time you indicate. (Keep in mind that the user has full control as to how long it is actually stored. He can choose to have no cookies at all, or until he closes the browser, you just tell the browser how long you'd like them to be stored)

The session data is stored on your server, it's individual to each visitor (well... that's the ideal ). You can store data belonging to a user in there, while he is on your site. When he logs out, the session data is usually destroyed. So you shouldn't store settings there, that you want to be remembered the next time the user logs in. Use cookies or a database/filesystem for that.

Just keep in mind that cookies are user/browser-specific. If the same user logs on from a different computer, he will have different cookies.

arbitter · May 24, 2010

session_set_cookie_params(3600);
session_start();
session_set_cookie_params must be called before session_start.

Yes I am aware of that, but a session dissappears after 24 minutes of inactivity doesn't it, even though you set it to be longer?

But I still don't understand what the best method is...

Set a cookie with a unique 'code' for the user, and when he logs on his other data, meaning emailadress, ... , put that data in sessions so it's easy to use throughout the site?

cs.punk · May 24, 2010

Sessions work like this

session_start();

// Assigns random 32bit 'key' as a cookie on the users computer

Now say someone has logged in, you assign the username to $_SESSION['user'].

$_SESSION['user'] = 'Bob';

Members only page

if (isset($_SESSION['user']))
{echo "Welcome {$_SESSION['user']} ";
}

Each $_SESSION's variable point to the 'session key' stored on the cookie...

And ONLY the key gets stored on the 'clients' computer. Which PHP uses as a reference.

So for a table it might look like this:

bob 1e2a31bfg

joe 7e0g8a9b

guest 6f6a6o8

Hope that helps..

arbitter · May 25, 2010

Thanks for your reply, cs.punk. Though I still don't know what the best method is for logging in... I know Sessions, I know cookies, but how should I combine them for a login?

Eg what does this site use for login system? What get's stored when the user logs in, and how? How can you make it all secure?

mga_ka_php · May 26, 2010

for security you could use https and mysql_escape_string.

kalivos · May 26, 2010

I don't think you fully understand what cs.punk is trying to say. A session can use cookies. When you call session_start(), a cookie is created for you and sent to the client. For all intensive purposes, you no longer interact with that cookie. Like cs.punk was saying, you use $_SESSION to interact with the data. Anything you would have placed into a cookie, you now place into the session.

Hope that helps,

-Kalivos

arbitter · May 29, 2010

I've found a tutorial in which they use a cookiehash to then set the session and stuff, I understand thins better now.

the cookie was made by this:

$cookiehash = sha1($userdata['userid'] . $secretword . time())

Like that, the hacker would have to know the userid, the secret word that is on a external file (though I didn't quite understand how he did that), and the time in milliseconds, which seems pretty safe.

if the user doesn't check it, it solely makes the sessions.

So in short:

if(isset($_COOKIE['cookiehash']){
//connect to database, compare hash and retrive user details and store them in $_SESSION
$_SESSION['loggedin'] = true;
}
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true){
//user is logged in'
}

cs.punk · June 6, 2010

Sessions automatically issue a key ($_SESSION['PHPSESSID']) which is the cookie value you get (eg. be0qddc1mdj58uu6mlqtau1o42). So a user would have to guess the key in anyway.

Sounds insecure? Well you could then check if the IP (of the client/user) is the same.

cs.punk · June 6, 2010

This might help:

// login

<?php
session_start();
$user = "admin";
$pass = "bob76bob";

// html form

if ($_POST['user'] == $user && $_POST['pass'] == $pass)
{$_SESSION['admin'] = "yes";
   // Logged in
{
?>

//protected

<?php
session_start();

if (isset($_SESSION['admin']))
{// Admin
}
else
{//not admin, redirect user to login
   header ("Location: login.php");
}

arbitter · June 21, 2010

Thanks! And sorry for my late reply. Due to exams I havn't been active on the programming side, and I also wanted to learn C# but that hasn't quite lifted off eather

Sign In

best way for login?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information