At 06:17 PM 2/18/2002 -0800, Phillip S. Baker wrote:
>I have a MyQSL back end.
>It houses a users user_name and password.
>I have a secure area of the site that I only want members to view.
>The way I have it now is that the user logs in.
>If user_name and password match cookies are set.
>Each page in the secure are checks for a variable in the cookie. If set 
>the user can view the page, if not set the page redirects back to the 
>login page.

That's how I do it.  When creating user accounts I hash the passwords with 
md5() before putting them into the database.  When a user logs in he 
submits his password to my script in plain text only ONCE.  At that point 
my script hashes the password with md5(), compares it to the hashed 
password already in the database...and if it's the same it sets a cookie on 
the client containing the username and the hashed version of the 
password.  So from that point forward only the hashed version is submitted 
as a cookie variable.  From what I have seen lots of scripts use a similar 

Of course, it's not the most secure thing in the world.  The password is 
sent in plain text at least once (not good), but even hashing doesn't 
really help you that much.  Sure, it prevents a hacker from knowing what 
your password is, but if he can eavesdrop on your connection he can just 
steal the hashed version and then find a way to send it along with the 
request (fairly easy) need to know the unhashed version.

The only way to be truly secure is to use SSL...but then you have to ask 
yourself if it's really worth it.  My app is not that critical and 
certainly not worth encrypting.  Your needs may vary...

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to