You should definately not set a cooking containing the encrypted
password, anyone that's able to grab that cookie can set to work brute
forcing the password.

On Sun, 3 Oct 2004 13:11:00 -0700, Wendell Frohwein
> I have been writing php code for about 2 years now. I have a login
> script that I have written for my clients. I just would like to know if
> there is a better / safer way of logging people into websites. This is
> my current method.
> 1.)     Username and Password are entered in an html / php form using
> field names user, pass and submit button named do_login.
> 2.)     Form is submitted to the same page (PHP_SELF).
> 3.)     Login script is triggered by $_POST["do_login"].
> 4.)     Form is validated to make sure the fields "user" and "pass" are
> not empty.
> 5.)     Password is then encrypted using base64_encode()
> 6.)     MySql Select Statement To find $_POST["user"].
> 7.)     If found, Verify that $result["pass"] ===
> base64_encode($_POST["pass"]).
> 8.)     If No username is found, Message is sent to end user stating
> username does not exist.
> 9.)     If $result["pass"] === base64_encode($_POST["pass"]) send user
> to a page called wait.php
> 10.) At wait.php, a cookie is set containing the user id, user name, and
> encrypted pass.
> 11.) Wait.php contains a (<meta http-equiv="refresh"
> content="5;URL=/<?echo($dir);?>/welcome.php">) meta tag which directs
> user to directory
> 12.) Inside $dir, there is a script called validate.php which is
> included inside header.php. So the script actions of validate.php tag
> along with every page.
> 13.) This functions makes sure you have a cookie set with the names
> "user_id", "user_name", "user_pass".
> 14.) It then validates this information though mysql.
> 15.) If the information is sound, user is allowed to browse that page
> and or do whatever they are supposed to be doing in that directory.
> 16.) If the information is not sound, user is redirected to the home
> page using header("Location http://some_domain/some_file.php";);
> This works great for me, but I want to perfect it. If anyone out there
> knows any better way to login, validate a user and so on. Please let me
> know
> Thanks a lot people.
> -Wendell Frohwein

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to