PHP authentication for rookies

Re: PHP authentication for rookies

In article <uj1Yd.16562$OU 1.3817@newssvr2 1.news.prodigy. com>,
"deko" <deko@hotmail.c om> wrote:
[color=blue]
> I have a PHP site and my hosting provider provides SSL encryption for
> certain pages. So I've created an SSL-enabled login page where users can
> enter a username and password. But I don't know where to go from here.
>
> What I want to do is have users enter their credentials on the login page,
> then get redirected to their own page that is also SSL encrypted - or to
> directory with a listing of files (does not have to be pretty - will be used
> mainly for downloading files). There are only three users at this point so
> I want to store credentials in a flat file rather than a database.
>
> How do I do this with PHP? Where can I get a basic authentication script?
>
> Thanks in advance.[/color]

Many php books discuss this at length. The main page captures the
username and password which you store however you will. Start a session
using the php session functions. Display the members main page. All
member pages check that there's valid session (usually this is done by a
cookie, but these functions still work if you turn off cookies, so I
don't know what they do with the browser). If not, bounce back to the
login page.

There are a bunch of php script sites that might be able to help you get
started:




--
DeeDee, don't press that button! DeeDee! NO! Dee...

Re: PHP authentication for rookies

> Many php books discuss this at length. The main page captures the[color=blue]
> username and password which you store however you will. Start a session
> using the php session functions. Display the members main page. All
> member pages check that there's valid session (usually this is done by a
> cookie, but these functions still work if you turn off cookies, so I
> don't know what they do with the browser). If not, bounce back to the
> login page.[/color]

Thanks for the tip. I think once I get pointed in the right direction I'll
figure it out.

Re: PHP authentication for rookies

> Many php books discuss this at length. The main page captures the[color=blue]
> username and password which you store however you will. Start a session
> using the php session functions. Display the members main page. All
> member pages check that there's valid session (usually this is done by a
> cookie, but these functions still work if you turn off cookies, so I
> don't know what they do with the browser). If not, bounce back to the
> login page.[/color]

Are there any advantages to using a database to store user credentials? I
only have a few users at this point, so I'm wondering if I really need a
database. From what I've read, I'll need to store 5 strings: Username,
Password, Cookie, Session, and IP Address. Does it make any difference if
these are stored in a flat file vs. a MySql database?

Re: PHP authentication for rookies

In article <QB3Yd.16142$Pz 7.8530@newssvr1 3.news.prodigy. com>,
"deko" <deko@hotmail.c om> wrote:
[color=blue][color=green]
> > Many php books discuss this at length. The main page captures the
> > username and password which you store however you will. Start a session
> > using the php session functions. Display the members main page. All
> > member pages check that there's valid session (usually this is done by a
> > cookie, but these functions still work if you turn off cookies, so I
> > don't know what they do with the browser). If not, bounce back to the
> > login page.[/color]
>
> Are there any advantages to using a database to store user credentials? I
> only have a few users at this point, so I'm wondering if I really need a
> database. From what I've read, I'll need to store 5 strings: Username,
> Password, Cookie, Session, and IP Address. Does it make any difference if
> these are stored in a flat file vs. a MySql database?[/color]

How many users are we talking about? How much traffic?

If you don't use a database now, you most likely will in the future.
Flat files don't scale or have the ability to do dynamic updates. If
you write your application so as to abstract the parts that do the
information retrieval and updating, you can drop a database in at some
point in the future.

But to me, flat files are harder to deal with than a database. You have
to read the file, parse it, store it in memory, and update the records
(e.g. passwords). All that has to be coordinated with other sessions.
A database does all this for you and gives you performance measurement
tools.

If the database stuff is scaring you, take a class or hire someone.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Re: PHP authentication for rookies

> If you don't use a database now, you most likely will in the future.[color=blue]
> Flat files don't scale or have the ability to do dynamic updates. If
> you write your application so as to abstract the parts that do the
> information retrieval and updating, you can drop a database in at some
> point in the future.[/color]

Perhaps I will need the database someday, but for now a flat file will do.
As you suggested, I could make the script with the database in mind so it is
easily modified to use a database.[color=blue]
>
> But to me, flat files are harder to deal with than a database. You have
> to read the file, parse it, store it in memory, and update the records
> (e.g. passwords). All that has to be coordinated with other sessions.
> A database does all this for you and gives you performance measurement
> tools.
>
> If the database stuff is scaring you, take a class or hire someone.
>[/color]

It's just another point of failure and more stuff to deal with. At this
point users only receive credentials if they request them from me in person.
Then I call them with the credentials that I've manually configured for them
on the site. That's about it. It would be nice to track who logged in and
when, though.

Re: PHP authentication for rookies

Following on from deko's message. . .[color=blue]
>Are there any advantages to using a database to store user credentials? I
>only have a few users at this point, so I'm wondering if I really need a
>database. From what I've read, I'll need to store 5 strings: Username,
>Password, Cookie, Session, and IP Address. Does it make any difference if
>these are stored in a flat file vs. a MySql database?[/color]


Making the effort to experiment with say a MySQL database is well
worthwhile. It may be a bit of a drag (and take possibly up to a couple
of hours!) but really it is easy-peasy and it offers a whole new
dimension to YOUR ABILITY to deliver solutions.


Here is a simple maxim:
If you're being paid to do the best you can then enjoy discovering how
to do that thing at somebody else's expense. If you're not being paid
then perhaps it's because you haven't got the necessary knowledge and so
getting it might be a cute thing to do.





--
PETER FOX Not the same since the borehole business dried up
peterfox@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>

Re: PHP authentication for rookies

> Making the effort to experiment with say a MySQL database is well[color=blue]
> worthwhile. It may be a bit of a drag (and take possibly up to a couple
> of hours!) but really it is easy-peasy and it offers a whole new
> dimension to YOUR ABILITY to deliver solutions.[/color]

I'm comfortable with MySql but really don't think it's necessary for 2 or 3
users. I'm thinking an XML file might be the way to go. Then I could write
the script so it's easily modified to use a MySql database. In pseudo code,
the script might look like this:

<?php
$username = $HTTP_POST_VARS['username'];
$password = $HTTP_POST_VARS['password'];
if ($username && password)
{
//Lookup username and password in XML file.
//If match is found, then create session and
//redirect user to his page specified in XML file
}
?>

The thing is, the page to which users will be redirected will be stored in
/public_html - but must be accessible only to the logged in user. I assume
this is done with some kind session state.

Also, users do not create or edit their own credentials. This is done
manually by the webmaster.

Re: PHP authentication for rookies

Peter Fox wrote:
[color=blue]
> Following on from deko's message. . .[color=green]
>>Are there any advantages to using a database to store user credentials? I
>>only have a few users at this point, so I'm wondering if I really need a
>>database. From what I've read, I'll need to store 5 strings: Username,
>>Password, Cookie, Session, and IP Address. Does it make any difference if
>>these are stored in a flat file vs. a MySql database?[/color]
>
>
> Making the effort to experiment with say a MySQL database is well
> worthwhile. It may be a bit of a drag (and take possibly up to a couple
> of hours!) but really it is easy-peasy and it offers a whole new
> dimension to YOUR ABILITY to deliver solutions.
>
>
> Here is a simple maxim:
> If you're being paid to do the best you can then enjoy discovering how
> to do that thing at somebody else's expense. If you're not being paid
> then perhaps it's because you haven't got the necessary knowledge and so
> getting it might be a cute thing to do.
>
>[/color]

That's some reasoning that's worth remembering.

There is a guy over on Comp.databases. theory name of Marshall Spight, and
over there they refer to "Spight's Law" which is basically: "You always
need a database." And if you don't have one, you end up implementing one
yourself, little by little.

It pays off far more do learn a database little by little than to implement
one little by little.

--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com )

Re: PHP authentication for rookies

> That's some reasoning that's worth remembering.[color=blue]
>
> There is a guy over on Comp.databases. theory name of Marshall Spight, and
> over there they refer to "Spight's Law" which is basically: "You always
> need a database." And if you don't have one, you end up implementing one
> yourself, little by little.
>
> It pays off far more do learn a database little by little than to[/color]
implement[color=blue]
> one little by little.[/color]

I know plenty about MySql and databases. But the requirement is to store
user credentials in an XML file.

Re: PHP authentication for rookies

Dude. In this day and age the correct term is noobs, or newbies. Rookies
is so last century.

:p

Re: PHP authentication for rookies

database schmattabase.

just hard code the userIDs and passwords in the php code on the login page,
switch on the userID to decide what url to redirect to, and create a
$_SESSION variable using the userID. All you need on the redirect page is:

session_start() ;
if ($_SESSION['userID']) = $uid
{
echo "You are logged in.";
}
else
{
echo "You are not logged in.";
}

get over it.

and, yes, it is secure because everything is SSL encrypted.