> 1. login page has username and password text boxes and a link to my https
> login.php page.
If you're trying to keep the username/password safe in SSL, both the
receiving login.php *AND* the page with the FORM in it need to live on the
secure server.
> 2. after submit, login.php starts a session, opens the database, checks
> username and password, if valid ?? sets session variable $LOGGED_IN or
> something like it, sets $USERNAME, and loads the default php page for the
> user. If not valid, sets a session variable indicating the error, loads
the
> login page again and displays an error message. login page destroys the
> session.
create table users(username text unique not null, password text);
<?php
if ((isset($USERNAME) && isset($PASSWORD)){
$query = "select count(*) from users where username = '$USERNAME'
and password('$PASSWORD') = password";
$matches = mysql_query($query) or die(mysql_error());
$count = mysql_result($matches, 0, 0);
if (!$count){
header("Location: login.php?msg=" . urlencode("Invalid Login"));
exit;
}
}
if (isset($msg)){
echo $msg, "<BR>\n":
?>
<FORM ACTION=login.php METHOD=POST>
<INPUT NAME=USERNAME>
<INPUT TYPE=PASSWORD NAME=PASSWORD>
<INPUT TYPE=SUBMIT>
</FORM>
<?php
exit;
}
session_start();
session_register('USERNAME');
#load/display default page for $USERNAME
?>
> 3. default page loads and check the value of $LOGGED_IN. if 1, then
> continue loading page for $USERNAME, otherwise loads login page with
error.
> All other pages follow this same procedure.
>
> Questions about this:
> - I also want to have a timeout on the login, user configurable. How
would
> I add this in? Initially a 3 hour timeout would be nice. I'm storing
last
> login and last activity times in the databse as TIMESTAMP values. Should
I
> check this along with $LOGGED_IN before loading the pages?
Sure, or have a cron job (man 5 crontab) that deletes anybody older than 3
hours.
You could select their last activity, and if it's older than X, send a
header like the Invalid Login, only saying Session Expired.
Otherwise, update their last activity.
> - What is the default timeout on a session? Can I configure that somehow?
> I can't seem to find a way to make php changes... someone mentioned
php.ini
> somewhere, but I've modified this file with no effect. Even when moved to
> the configured directory for php.ini (found by doing phpinfo() call).
Did you stop/start apache to make it reload it after you moved it?...
> Any assistance, although most likely redundant, would be appreciated.
> There's so much to sift through and perhaps if someone just points to a
good
> doc on authentication processes, that would help.
There's some sample code on http://zend.com as well as other code archives.
Find the one that looks least puzzling and study it.
--
Visit the Zend Store at http://www.zend.com/store/
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
