Hi,
I've searched the archives, bit it's not helping me much purely because it's
not specific PHP code I'm after, but rather help with a login system design.
So far I've got a PHP_AUTH based login which checks against a MySQL
database, and if the user's details are correct it updates the database with
their IP and login time, then creates sessions variables for their username
and security level (for admins, mods etc). However, the more I read, the
more I worry about security, so I want to try and get this as good as I can
possibly get it with security my main concern. What I hope to achieve is
some reusable code. All the tutorials and sample code I look at say don't
use this in a production environment because it's not secure. When I'm happy
with what I've got I'll make the code available, hopefully this will be a
joint effort and any credit will be given.
So far the steps I have are;
Set $auth to false
Are PHP_AUTH_USER and PHP_AUTH_PW set ?
Yes -> Connect to database
check user/pw exists in database
if they do then set $auth to true
Is $auth false ?
Yes -> Display login box with header();
No -> update database with ip and time
create sessions variables
forward to next page
I'm after two things; ideas for a better (more comprehensive) design and
potential security holes. Are sessions a bad idea ? Should I store them in
my database ? Is the initial HTTP authentication a bad idea (because of
either security or browser compatability) and can I make the HTTP
authentication more secure ? Should I stick with a regular login form ? Is
checking for a username session variable on each following page enough ?
Hopefully this is relevant here.
Thanks,
Nick
This private and confidential e-mail has been sent to you by Egg.
The Egg group of companies includes Egg Banking plc
(registered no. 2999842), Egg Financial Products Ltd (registered
no. 3319027) and Egg Investments Ltd (registered no. 3403963) which
carries out investment business on behalf of Egg and is regulated
by the Financial Services Authority.
Registered in England and Wales. Registered offices: 1 Waterhouse Square,
138-142 Holborn, London EC1N 2NA.
If you are not the intended recipient of this e-mail and have
received it in error, please notify the sender by replying with
'received in error' as the subject and then delete it from your
mailbox.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
