[thelist] php login security (was: Call html page with php)

Ben Phillips ben at inchima.com
Thu Feb 21 04:40:00 CST 2002


> I was actually writing a response to your last email, :) just call me
> bloody-minded:

if you insist... :o)

> >if you are referring to my case, then i would reiterate that there were
> >sessions involved, just not php 4 sessions.

> OK, so each page would have something like this included at the top:
[snip]

this is my pseudocode coming up...

$loginok = "no"
// check session id
if (isset($seshid)) {    // could be passed in a form, querystring, or in a
cookie
  check seshid against stored seshids in database
  if valid and not timed out then
    $loginok = "yes"
}

// check for login attempt
if (isset($HTTP_POST_VARS[login_userid]) && $userin == "no") {
  check userid and password against database
  if valid then
    create $seshid
    $loginok = "yes"
}

i haven't used this code for a while now, as the recent sites i have created
have been private communities and as such only require a single login page
(which makes things a lot less complicated!).

> Aaaah. We're using terms in different ways. By 'authenticate' I mean:
> 'compare the provided login data against a record of registered
> users, if there's a match the user is authenticated.' By 'authorize'
> I mean: 'an authenticated user may be authorized to use a page, a
> flag is typically checked to see if they are allowed to view the
> document.'

apologies if my terms haven't been consistent throughout, that's usually the
case with me. i just assume people can read my mind and understand what i
say, which is how it should be ;o)

> ... The former involves a lot of redundant
> work on each page, in my opinion, but is safe enough as long as the
> user/pass are session variables, or otherwise kept from GET/POST
> (even storing them in cookies would not be nice). The latter requires
> that $loginOK is not liable to be hidden by a GET/POST/COOKIE
> variable -- or there is no security.

the user/pass combination is only used once to create the session. then the
session id is passed in whatever way is necessary (depending on the website
and the client settings). $loginOK is only visible to each page. it isn't
passed. the username and password aren't passed. the session id is passed.

it works anyway. and it's secure (afaik!).

benji
inchima.com




More information about the thelist mailing list