At 06:17 PM 2/18/2002 -0800, Phillip S. Baker wrote:
>I have a MyQSL back end.
>It houses a users user_name and password.
>I have a secure area of the site that I only want members to view.
>The way I have it now is that the user logs in.
>If user_name and password match cookies are set.
>Each page in the secure are checks for a variable in the cookie. If set
>the user can view the page, if not set the page redirects back to the
That's how I do it. When creating user accounts I hash the passwords with
md5() before putting them into the database. When a user logs in he
submits his password to my script in plain text only ONCE. At that point
my script hashes the password with md5(), compares it to the hashed
password already in the database...and if it's the same it sets a cookie on
the client containing the username and the hashed version of the
password. So from that point forward only the hashed version is submitted
as a cookie variable. From what I have seen lots of scripts use a similar
Of course, it's not the most secure thing in the world. The password is
sent in plain text at least once (not good), but even hashing doesn't
really help you that much. Sure, it prevents a hacker from knowing what
your password is, but if he can eavesdrop on your connection he can just
steal the hashed version and then find a way to send it along with the
request (fairly easy)...no need to know the unhashed version.
The only way to be truly secure is to use SSL...but then you have to ask
yourself if it's really worth it. My app is not that critical and
certainly not worth encrypting. Your needs may vary...
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php