RE: [PHP-DB] The Ethics and Access of Login

[Daevid Vincent]

Well, what I would suggest is you log them in once, then set a session
variable such that $_SESSION[login] = true;

Then at the top of each page, just check if they're logged in or not. 
  if( !$login ) { Header(Location: .$LOGINPAGE.\n\n); exit; }

No hit to the db for every page.
If you're in the good habbit of using a require() file at the header,
you can put that in there, so all those pages are protected instantly
and it makes it easy to tweak.

However, if security is really a concern, I would choose to let Apache
deal with that. Plus the nice thing is that with the .htaccess (or
better yet, the httpd.conf Directory) you are guaranteed that all
subdirectories and files are protected too. Another little detail is
that a user can bookmark a page, and get back to it easily. My method
above would require you remembering the page they
requested-login-jump back to the page. I dunno. I have nothing to base
this on, but I feel 'safer' with private areas being protected by the
server rather than any code I could come up with. :)

DÆVID.

A good friend will come and bail you out of jail...but a true friend
will be sitting next to you in the holding cell, laughing and saying
-'That was fucking awesome!' 

 -Original Message-
 From: Sarah Gray [mailto:sarah;fabled.net] 
 Sent: Monday, October 28, 2002 8:52 PM
 To: [EMAIL PROTECTED]
 Subject: [PHP-DB] The Ethics and Access of Login
 
 
 list, 
 
 I have been using .htaccess pages formatted to read 
 username/password from a mysql database, and they work fine.  
 But I'm wondering, wouldn't it be simpler to simply write a 
 script that checks a database itself, and, if it finds the 
 username, goes on to the next action; and if it doesn't find 
 the member, shuts them out? This seems so simple that I am 
 sure there are good arguments against it.  Am I right? 
 
 The idea, in simple terms, is a login form that calls a php 
 script which checks the id of the username in the form 
 against a database, and then the appropriate action following 
 their acceptance. 



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] The Ethics and Access of Login

[Leif K-Brooks]

That's a HUGE security flaw!  Anyone could send that in a GPC value and 
get unauthorized access!  USE $_SESSION['login'] INSTEAD!!!

Daevid Vincent wrote

Then at the top of each page, just check if they're logged in or not. 
 if( !$login ) { Header(Location: .$LOGINPAGE.\n\n); exit; }
 


--
The above message is encrypted with double rot13 encoding.  Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law.




--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DB] The Ethics and Access of Login

[Daevid Vincent]

Oh yeah. My bad. I forgot. I changed my directives to be smarter than
that ;-)

http://www.php.net/manual/en/configuration.directives.php

Yes, the person is passing it in, but it will get over-ridden by the
session and mooted out. 

 -Original Message-
 From: Leif K-Brooks [mailto:eurleif;buyer-brokerage.com] 
 Sent: Monday, October 28, 2002 9:08 PM
 To: Daevid Vincent
 Cc: [EMAIL PROTECTED]
 Subject: Re: [PHP-DB] The Ethics and Access of Login
 
 
 That's a HUGE security flaw!  Anyone could send that in a GPC 
 value and 
 get unauthorized access!  USE $_SESSION['login'] INSTEAD!!!
 
 Daevid Vincent wrote
 
 Then at the top of each page, just check if they're logged in or not.
   if( !$login ) { Header(Location: .$LOGINPAGE.\n\n); exit; }
   
 
 
 -- 
 The above message is encrypted with double rot13 encoding.  
 Any unauthorized attempt to decrypt it will be prosecuted to 
 the full extent of the law.
 
 
 


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php