the way i do it for sites that need minimal to medium
is to generate a session id whenever a user comes to
the site. this session id is stored in mysql table
and as a cookie on the user's computer. when the
user logs in correctly, the username is stored in
the database with the session ID (not as a cookie,
only the session ID is saved as a cookie).
i try and make it my goal to never store any usernames
or passwords on the user's computer. the existence
of the session ID is enough to allow me to look up
that ID in the database and see if the user logged
in correctly in the past few hours (expire time is ~6
hours, so after 6 hours of inactivity, the id is
cleansed from the database)
at the top of ever PHP page that requires a
valid login, i check to see if the user has
a session ID stored as a cookie, then look up
that ID in the database to check if it's valid.
if the ID is valid, i check to see if a username
is also stored in the database. if there's a
valid username stored alongside the session ID,
then the user is recognized as being logged in.
if no username is in the database, then i ask the
user to log in.
the session table has these fields:
id (the generated session id)
lastused (last time the user accessed a page)
username (the username that the user logged in as)
(password information is stored in another table)
so... basically, if the user logs in correctly,
it will generate a random session id and store
the username in the database. *only* the session
id will be stored on the client.
when the user comes back to the website, if the
id in their cookie matches an id in the database
*and* the username field has a valid username,
the user is not asked to log in again. if the
session id is not found in the database (or is
expired) the user is directed to a login page.
any comments or thoughts on my method are welcome;
especially any weaknesses that you may find in my system.
thanks
> -----Original Message-----
> From: Romulo Roberto Pereira [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 22, 2001 4:30 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] I need an authentication method that is good... any
> Ideas? - please help
>
>
> Hello!
>
> I am constructing an intranet site. The site is all secure, I mean, all the
> pages are under a directory that needs a password to get in. These are
> facts:
>
> A) The user information is on a LDAP;
> B) The user should entry the pair login/password only once;
> C) Any access to the site without logging first will be routated to a login
> page;
>
> So what would be a good solution on that?
>
> If this work, I would like to create a documentation about it. All help will
> be welcome.
>
> Thank you in advance and for your attention,
>
> Romulo
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
