Custom Login Menus?

Anon

Back again! =)

Better question this time, I'm not even sure if this one's possible, but I'm hoping all you nice people can find some way out of it.

My site is, and has been using, for a while, a login system, for members, where there is a <form> with 2 inputs (user, pass) that submit to a php script that checks the DB for a valid login/pass, and sends the user to the appropriate site. This is all well and good, but now I need to make a REAL site, and have to have proper security, or at least not have people's passwords pop up in the box at the top... =)

So, I went and learnt how to do HTTP verification in PHP, which is all nice, and safe and whatever... BUT it looks crap. I mean, really... The default IE box? Ugh.

Sooooooooo, I was just wondering if anybody would know of a nice way of keeping the little boxes in the menu, and getting them to work with a real HTTP auth thing?

Thanks for all the help, ppl!

Anon

Someone already suggested in this forum to use a URL with the following form :

http://user:pwd@www.yoursite.com/path

When the user pushes the form button, make the URL with a little javascript code and go to the location.

Anon

Why don't you use sessions?

Anon

How do you suggest?
Sorry, I haven't tried these much yet.
But, to send a variable from the form, wouldn't it have to come up in the URL? Or is there some way to process the input before it's submitted?

Anon

I remember now, PHP's built in encrypt() function, and trying to use it before, but does anybody know a way to make a button on a form run a PHP script without actually going to a seperate page?

Anon

Here is how I do it.

First of all, the login form should transmit data using POST, not GET. This keeps the username/password from showing up in the Location: field of the browser.

With data in hand, I look up the username and password from the database. If they match, I use this function:

function makehashid()
{
global $cryptphrase;
global $uid;
return md5("$cryptphrase $uid");
}

... to compute a magic encrypted key for the user. This key is stored as a session variable (server side) along with the userid itself. The reason for this will be explained shortly.

On every secured page, I do this:

// function to validate whether a current, valid uid exists
function isloggedin()
{
global $uid;
global $hashid;
return ($hashid == makehashid($uid));
}

... and if the function returns FALSE, I forcibly log the user out and kick him to the login page.

Here's why I do this: I don't want some net.moron to be able to pass false UID information to my server by adding a string to a URL. So I have created a secret checksum that makes the session invalid if the UID is changed.

The net.moron can't include fake hashid information in the URL, because the MD5 value is computed using a secret cryptphrase, which comes from my server configuration.

The important points here are:

PHP sessions are used to store the login tokens server-side, and they are not shipped back and forth over the wire.
The only thing that gets stored in a cookie (or sent in a URL, if cookies are disabled) is the PHP-generated unique session identifier, which is an unpredictable value.
Everything is reasonably secure.

Anon

You may be able to protect the .html/.php pages, but how do you procect images in the directories?

Say I make images for clients and put them in the client's password protected directory for them to see. Using apache htaccess they are protected but how do you protect the .jpg files?

Anon

You could easily write PHP code to serve the images to authorized users. For the specific case you mentioned it would be simpler to use HTTP basic authentication. MF's problem, though, is different.

Anon

This alll worked quite nicely, but the password still shows up in the address, same problem?
How do you do it? I had a form action=post, sends to a page, which then checks the DB and whatever, and redirects, like you suggested... But while the page is loading, it still shows up?

Thx for all the help, too, sorry to be such a pain! =)

Anon

Don't believe its possible. Since PHP is server-side, all scripts are processed prior to being sent to the client. The only thing you can hope to execute (if the client has it on) is JavaScript, using the onSubmit function in the form tag.

Jim

Anon

Can you show us a snippet of the code that is sending the password?

Anon

Sorry to drag this back up out of nowhere, but I've undergone a slight change of country, just started on it again. =)

I fixed up the form, doesn't show in the address any more, that was just my really lame way of processing the login before, so that's all fine. But, now, whenever I try to use the session functions, I think, I get all sorts of nasty errors, and PHP packs up and refuses to work at all without a reboot or a restart of IIS... I can't say exactly what the message was, not at my own computer now, but is this a common one? Any .ini settings I need or anything? I'll try and post some details later...

Thx again