User Authentication ideas?

Anon

I am developing a website that requires user login/logout.

After reading number of PHP books and online discussions I am stiil confused how to implement secure login and page authentication.

Here is what I wnat to do:

Present user with login form. Accept userid and password and somehow set a cookie or something that I can use to validate for the duration of the session that the user is authenticated. I would like to avoid sending password across the net as plain text. Some folks use encryption but I am not sure how to implement it. Is it JavaScript?

Should I use HTTPS while the logon in progress.? My hosting company does not have PHPLIB installed so most of the session authentication and management I need to do in my code.

I would like to write couple of functions that verify authentication/ and perms in some fashion after the user logged in.

Any ideas, tips, code would be appriciated.

Thanks in advance.

Roman

Anon

Well, I'm not the expert but I would suggest to use md5 on a password. I'm not sure there is a way to prevent sending the password from the form to your code without encryption, since the form needs to be submitted first for you to capture the password.

however, after that, store the password in your database as:

$pwd = md5($pwd);

When you set a cookie, never include the password, or perhaps the md5 password, but this would allow e.g. students on a university to abuse someones account if your cookie is set and it includes login + pwd.

See PHP Builders article on security it's a great one! (click on "columns")

I suggest you only set their login as cookie, and set some session var to tell your program he/she is validated (that's also in the same article on this site).

The only way to be really sure is to have https:// and a hosting company that will allow you to use that?

So, basically, apart from everything your read so far, read this websites columns on security and sessions!

Anon

Hi Roman,

Why don't have a look around the sites filled with tutorials and columns ?? They definitely have articles, code and complete systems for your problem... I remember an article from tim perdue on this site (Called "A complete Secure Loginsystem") And on DevShed they got definitely something similar and on php.resourceindex and so on ..
i think this is one of the most answered questions around. It should not be so hard to find an answer just by looking on a few pages...

cya Rob

Anon

Yes, if you want complete security the login page needs to be secure, so that the password will not be sent in plaintext over the wire. Not hard to do, unless your provider doesn't provide HTTPS!