[FAQ] How to implement a login system?

Re: [FAQ] How to implement a login system?

R. Rajesh Jeba Anbiah wrote:[color=blue]
> Q: How to implement a login system?
> A: Use sessions. When the user logins, store the session id in the
> database and then compare the current session id with the one stored in
> the database on every page. May also check IP; but it may break if the
> user is behind proxy.[/color]

Hm.. I'm currently running things so that when the user logs in, I store
the user's ID as a session variable, then check that ID in every page to
see if the user is logged on, and who it is. Are there any problems with
this scheme?

Cheers,
Nicholas Sherlock

Re: [FAQ] How to implement a login system?

That sounds right.
Don't forget to refresh your page to acknowledge if the user is still logged
in or not. That way if the user has not updated the session they must be
logged off.

Brent Palmer.



"Nicholas Sherlock" <n_sherlock@hot mail.com> wrote in message
news:d13fbu$2bc $1@lust.ihug.co .nz...[color=blue]
> R. Rajesh Jeba Anbiah wrote:[color=green]
>> Q: How to implement a login system?
>> A: Use sessions. When the user logins, store the session id in the
>> database and then compare the current session id with the one stored in
>> the database on every page. May also check IP; but it may break if the
>> user is behind proxy.[/color]
>
> Hm.. I'm currently running things so that when the user logs in, I store
> the user's ID as a session variable, then check that ID in every page to
> see if the user is logged on, and who it is. Are there any problems with
> this scheme?
>
> Cheers,
> Nicholas Sherlock[/color]

Re: [FAQ] How to implement a login system?

Nicholas Sherlock <n_sherlock@hot mail.com> wrote in message news:<d13fbu$2b c$1@lust.ihug.c o.nz>...
<snip>[color=blue]
> Hm.. I'm currently running things so that when the user logs in, I store
> the user's ID as a session variable, then check that ID in every page to
> see if the user is logged on, and who it is. Are there any problems with
> this scheme?[/color]

Such system allows multiple logins, though both systems allow
session hijacking (if without IP/user agent checking)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Re: [FAQ] How to implement a login system?

"R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote in message
news:1110738982 .719822.48900@g 14g2000cwa.goog legroups.com...[color=blue]
> Q: How to implement a login system?
> A: Use sessions. When the user logins, store the session id in the
> database and then compare the current session id with the one stored in
> the database on every page. May also check IP; but it may break if the
> user is behind proxy.[/color]

A rather large topic to cover. A link to a tutorial might be more suitable
here.

The issue of multiple login under the same user should be dealt with
separately, I think.

Re: [FAQ] How to implement a login system?

Chung Leong wrote:[color=blue][color=green]
> > Q: How to implement a login system?
> > A: Use sessions. When the user logins, store the session id in the
> > database and then compare the current session id with the one[/color][/color]
stored in[color=blue][color=green]
> > the database on every page. May also check IP; but it may break if[/color][/color]
the[color=blue][color=green]
> > user is behind proxy.[/color]
>
> A rather large topic to cover. A link to a tutorial might be more[/color]
suitable[color=blue]
> here.[/color]

I'm not sure, if the links I added isn't enough.
[color=blue]
> The issue of multiple login under the same user should be dealt with
> separately, I think.[/color]

So, please fix it and post revised contents.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Re: [FAQ] How to implement a login system?

Q: How to implement a login system?
A: Login/authentication system can be implemented in many ways:
1. Basic login system:
When the user logins, set a cookie or session variable and expect
that variable in every pages.
2. Sessions based login:
a. When the user logins, store the session id in the database and
then compare the current session id with the one stored in the database
on every page.
b. Check logged in user's IP on every page.
c. Check logged in user's browser on every page. May use the user
agent string ($_SERVER['HTTP_USER_AGEN T']) or hash of it.

Caveats:
(1) will definitely allow multiple logins and may allow session
hijacking.
(2a) alone may allow session hijacking.
(2b) may break if the user is behind proxy.
(2b)&(2c) If session alone (without storing in database) is used as a
storage, it may break.
(1), (2a), (2c with database) may provide enough security.


Refer:




+++++
@revision 2 Fixed answer for clarity. See Chung's comment
@todo Info about other authentications , better link to the login
implementation (above links use obsolete PHP style)