At 06:17 PM 2/18/2002 -0800, Phillip S. Baker wrote: >I have a MyQSL back end. >It houses a users user_name and password. > >I have a secure area of the site that I only want members to view. > >The way I have it now is that the user logs in. >If user_name and password match cookies are set. > >Each page in the secure are checks for a variable in the cookie. If set >the user can view the page, if not set the page redirects back to the >login page.
That's how I do it. When creating user accounts I hash the passwords with md5() before putting them into the database. When a user logs in he submits his password to my script in plain text only ONCE. At that point my script hashes the password with md5(), compares it to the hashed password already in the database...and if it's the same it sets a cookie on the client containing the username and the hashed version of the password. So from that point forward only the hashed version is submitted as a cookie variable. From what I have seen lots of scripts use a similar mechanism. Of course, it's not the most secure thing in the world. The password is sent in plain text at least once (not good), but even hashing doesn't really help you that much. Sure, it prevents a hacker from knowing what your password is, but if he can eavesdrop on your connection he can just steal the hashed version and then find a way to send it along with the request (fairly easy)...no need to know the unhashed version. The only way to be truly secure is to use SSL...but then you have to ask yourself if it's really worth it. My app is not that critical and certainly not worth encrypting. Your needs may vary... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
