php-windows Digest 24 Sep 2005 16:37:59 -0000 Issue 2783
Topics (messages 26374 through 26375):
Re: Login System / Cookies
26374 by: David Collard
26375 by: Armando
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Armando wrote:
Greetings!
I'm developing a login system in php and wondering if someone could
possibly provide some advice, as I'm still relatively new to php.
First, I'm limited to using cookies only for my session variables, so
for instance, remembering users who wish to not have to login to the
site each time they visit. I obviously don't want to put the user's
login information in the cookie in plain text, so I was thinking
perhaps that I'd use md5 hashed values instead. So in the database I'd
have 4 fields for the user information, ie; username, username_md5,
password, password_md5. Does this make any sense, or is there some
other better way?
Also, I've ready about using session ID's.. for instance, how they are
used in the phpBB forum. Would it be better to use them? I don't quite
understand the purpose for it, but if someone could expain it, it
would be greatly appreciated. Thanks in advance!
Best Regards,
Armando
you should only store the hash for the password in the database and in
the cookie, then you can see if the two hashes match e.g.
if($password_md5 == md5($_SESSION['password']) {
echo "password correct";
} else {
echo "password not correct";
}
you shouldnt need to worry too much about session ids unless you are
writing your own session manager anyway
hope i helped ;)
--- End Message ---
--- Begin Message ---
I figured I wouldn't want to store plain text passwords in the database,
but I was considering a "Forgot your password?" option in which it could
be emailed. I suppose what I'll do instead is just used the hashed
password and if someone forgot theirs, I'll write a random password
generator to reset it and mail that instead.
And yes you're right, I will be using $_COOKIE to validate the user when
they revisit the page by comparing the cookie value to the value in the
database.
As for hashing the username, I was checking out phpBB and noticed when
you log in it actually doesn't show your userid or autologinid as plain
text so that's why I was considering hashing the username, just for
cookie value. Thanks for the insight!
Armando
[EMAIL PROTECTED] wrote:
Shouldn't you have used the $_COOKIE global variable, considering it
will be coming from a cookie?
Like so...
if($password_md5 == md5(*$_COOKIE*['password']) {
echo "password correct";
You shouldn't stored plain passwords in a database - simple as that. As
for hasing the username, not really sure there is a need for that.
Thanks
Tryst
--- End Message ---
