You should definately not set a cooking containing the encrypted password, anyone that's able to grab that cookie can set to work brute forcing the password.
On Sun, 3 Oct 2004 13:11:00 -0700, Wendell Frohwein <[EMAIL PROTECTED]> wrote: > I have been writing php code for about 2 years now. I have a login > script that I have written for my clients. I just would like to know if > there is a better / safer way of logging people into websites. This is > my current method. > > 1.) Username and Password are entered in an html / php form using > field names user, pass and submit button named do_login. > 2.) Form is submitted to the same page (PHP_SELF). > 3.) Login script is triggered by $_POST["do_login"]. > 4.) Form is validated to make sure the fields "user" and "pass" are > not empty. > 5.) Password is then encrypted using base64_encode() > 6.) MySql Select Statement To find $_POST["user"]. > 7.) If found, Verify that $result["pass"] === > base64_encode($_POST["pass"]). > 8.) If No username is found, Message is sent to end user stating > username does not exist. > 9.) If $result["pass"] === base64_encode($_POST["pass"]) send user > to a page called wait.php > 10.) At wait.php, a cookie is set containing the user id, user name, and > encrypted pass. > 11.) Wait.php contains a (<meta http-equiv="refresh" > content="5;URL=/<?echo($dir);?>/welcome.php">) meta tag which directs > user to directory > 12.) Inside $dir, there is a script called validate.php which is > included inside header.php. So the script actions of validate.php tag > along with every page. > 13.) This functions makes sure you have a cookie set with the names > "user_id", "user_name", "user_pass". > 14.) It then validates this information though mysql. > 15.) If the information is sound, user is allowed to browse that page > and or do whatever they are supposed to be doing in that directory. > 16.) If the information is not sound, user is redirected to the home > page using header("Location http://some_domain/some_file.php"); > > This works great for me, but I want to perfect it. If anyone out there > knows any better way to login, validate a user and so on. Please let me > know > > Thanks a lot people. > > > -Wendell Frohwein > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php