PHP, user authentication

Mikrondel · 27-Oct-2005, 05:11 AM #1

I'm working on something where a user types a name and password and then proceeds into a system of pages where he/she can do stuff.

What I need is simply for all the pages involved to be able to check if a user has logged in correctly. I've got a few ideas but I'd like any further comments or suggestions.

Points to consider:
-A timeout is not important but I'll use it if it's not much work to implement.
-Security is not very important, this is mainly for a local area thing.
-Passwords will be in a database, I can handle this on my own. It's just the passing information from one page to another that I'm not sure about the best way.
-I'm fine with a "log out" when the window is closed.

I can obviously record the Username and Password and POST them onto the next page each time you change pages. That would require checking the password each time a new page loads. Not a big deal, though. And the username and password would also show up in the HTML source. But this is currently my preferred option.

I've looked a bit at PHP's session stuff; it seems a bit more trouble than it's worth for something this simple.

Are there any other hidden tools PHP has that I could use here? I'm using Apache in case there's something in that.

I'm basically after a simple solution to implement that doesn't need to be too robust.

Thanks in advance

Mithrilhall · 27-Oct-2005, 10:16 AM #2

cookies?

Gibble · 27-Oct-2005, 12:44 PM #3

NEVER pass the USERNAME and PASSWORD along all the pages...you may as well not put a password on it, if you're going to do that.

Throw a sessionId in a database table of "currentlogins" and set a cookie to that value.

Then on each page you want secured, you include a file which checks for a cookie with a sessionId, looks in the table of current logins, if it's there...you're gold, if not, no good and they have to re-enter their username and password...done.

brendandonhu · 27-Oct-2005, 09:13 PM #4

You can use Apache's htaccess for authentication.
Otherwise, sessions and cookies is most likely what you're looking for.

Mikrondel · 28-Oct-2005, 04:57 AM #5

I already said, I don't mind insecurity. But this cookie and session ID thing doesn't look too complicated anyway.

About cookies... I'm a lazy guy and you're kind and helpful people :P
Basically I'm not in the mood for reading through docs right now, and I haven't used cookies before;
What I need to know is what cookies store (is it just a text string?), how I create them with PHP, and how I read them from PHP. Also how are they named or told apart, and is it possible to throw out the cookies when someone logs out?

If someone could point me to a public-domain example of a simple authentication system along these lines (I wouldn't expect you to make up an example on the spot! Unless you're really nice

) that would probably be all I need.

Anyway, thanks.

-Mikrondel

Gazornenplat · 28-Oct-2005, 07:26 AM #6

Just set and check AUTH_USER and AUTH_PWD on the pages you need to protect

brendandonhu · 28-Oct-2005, 05:03 PM #7

There are about a thousand free login scripts, try Google.

Mikrondel · 28-Oct-2005, 06:27 PM #8

Damn, I guess I have to do some work, lol.

I don't want to use Simple Authentication because different users will get access to different things. Unless Apache can read from two specific columns in a database...

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)