A more secure choice would be using a basic authentication scheme. If
you're using apache there are several apache based modules for MySQL
username/password authentication. With a little finess a similar scheme can
be done for PHP.
However if that's not an option my recommended PHP choice is to use sessions
(needs 4.x+)....when a person logs in they get assigned a session ID. If
you use PHP's session functionality the codes should be more than distinct
enough that no one could "guess" another person's session ID. A second
benefit is that only users who have been online prior to the session
expiring could be accessed. Plus since the ID would be unique every login
it would prevent people from bookmarking the member pages and would need to
relog back in every time they wish to access the site.
As for being afraid people can access the admin files...the best solution is
to move the admin files to an area a normal individual could access... (ie
another domain or subfolder protected by username/password, or IP or both).
Sincerely,
Craig Vincent
-----Original Message-----
From: Steph [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 11, 2001 8:45 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Security and Cookies
A friend of mine needs help, we are both PHP newbies. Here's her prob:
I have user authentication program that uses mySQL to store the
username/password and other information that they entered when they
registered. The secured pages use ?userid=$userid at the end of the page
name to designate who the user is. (example: main.php?userid=admin) I want
to make this more secure so that you can't just type the example in and have
access to the admin files (or type in someone's username and have access to
their files). I'm using a cookie right now but I'm having troubles with it
because you have to refresh the main page every time you login or it says
that you're not a valid user.
Steph
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
