[thelist] PHP Login Security

Nickolay Kolev nmkolev at uni-bonn.de
Fri Oct 11 06:51:00 CDT 2002


Hi all,

I have a small homemade blog in PHP (it does however support amost all
you might want).

The login mechanism is so far the following. A form is submitted to the
login script which registers uname and password in a session and checks
the session uname and pass against the administator database. If they
exist and match the location header is sent and another site is loaded..
 If not the session is destroyed and an error page is shown.

On the main site I check for a session and a registered variable
"password" and if those are found the admin links and rights are in
play. If not , the dafault (visitor) page is shown (admin links do not
appear)...

Maybe I should mention that pages that are strictly for the admins
(post message, edit message, delete message and so forth) have a header
that checks for the session and password and if not found they
automatically load an error page (with the location header)....

Could this be improved in some way? What are possible problems with the
setup? Easy ways to get in?

Thanks a lot,
nmk




More information about the thelist mailing list