User Authentication with mySQL question

Anon

I am new to php and I have managed to get a user database up in mySQL with encryption. Now I have read that some people use cookies or sessions to keep users who have logged in active so they do not have to re-login while they are there.

I am wondering which is easier or better to use?

I only want to store the users ID and password.

Also any sample coding would be greatly appreciated.

Thanks

Anon

This is what ive been struggling to do for the past week,

basically if your visitors will be using computers that can accept cookies, and you have php4, you are probably best off using the session management inside PHP.

I am using a template i found in a PHP book, code reproduced below, which creates a usr id, pops it into a mysql database and then you can check the session id against the database and determine whether or not they are logged in (with a time out function of course). I haven't quite got it working yet, but its almost fixed, and i haven't put the username / password check (it will store the user;s id in the sessions table of db only if they pass a username / pass test.

This way is because some of my site visitors are using non cookie computers, but if your visitors are all likely to be cookie enabled, then use cookies......

here comes the sample code......

<?
/
** Demonstration of using session identifiers hopefully with an $logged modification to them.
/

// generates a session id
function SessionID($length)
{
/
** Set a pool of possible characters to set the session to
/
$Pool = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
for($index = 0; $index < $length; $index++)
{
$sid .=substr($pool, (rand()%(strlen($Pool))), 1);
}
return($sid);
}

// Seed the generator with the time
srand(time());

<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<?
$mysql_link = mysql_connect("URL", "USER", "pass");
mysql_select_db("uniswap", $mysql_link);

// delete any sessions over 30 mins old from the db

$Query = "DELETE FROM session ";
$Query .= "WHERE LastAction < '";
$Query .= date("Y-m-d H:i:s", (time()-10800));
$Query .= "'";

mysql_query($Query);

// check if session exists
if(isset($session))
{
// we have a session so scope it against the DB
$Query = "SELECT * ";
$Query .= "FROM session ";
$Query .= "WHERE id='$uid' ";
echo $Query;
$mysql_result = mysql_query($Query, $mysql_link);

if(mysql_numrows($mysql_result))
{
	// session does exist, update last time thingamyjig
	$Query = "UPDATE session SET LastAction = now() WHERE id='$session' ";
		echo $Query;
	mysql_query($Query, $mysql_link);

	print("session updated, expires in 30mins<br>");
}
else
{
// session has expired, sorry buddy
print("Expired session, please login.<br>");
$session = "";
}

}

// if session is empty, create a new one.
if($session == "")
{
$uid = SessionID(8);

	// insert value into the dbase
	$Query = "INSERT INTO session (
	id,
	LastAction,
	usr_id,
	logged
	) VALUES (
	'$uid',
	now(),
	$usr_id,
	$logged
	)";

	echo $Query;
	echo $uid;
	mysql_query($Query, $mysql_link);

}
?>
<body bgcolor="#FFFFFF" text="#000000">
<a href="<? echo $PHP_SELF; ?>?uid=<? echo $uid; ?>">Test the session
baby</a>
<? echo $uid; ?>
<?
SessionID(8);
echo $sid; ?>
</body>

yelvington

Cookies store persistent variables on the client. There are some limits to the amount of data you can shove around that way, and the data is passed across the Internet in plain text form, creating some security issues. If you have lots of data, or if you are concerned about security, then sessions are better.

Sessions store persistent variables on the server, and give the client a key value that is used to retrieve the persistent variables on the next query. The key value can be passed as a cookie or with the URL. The constant SID is used for the latter; if the user has cookies disabled, PHP will notice and will populate SID with the proper name=value pair. Thus you can say

and SID will be filled in for a cookie-paranoiac, but empty for the rest of us.

Tim Perdue wrote an article outlining how he tackled authentication, which you should read:

http://www.phpbuilder.com/columns/tim20000505.php3

There also are some articles on session handling that you should look at as well.

You are welcome to download the source code for my message board system and see how I used those ideas:

http://stonemountain.yi.org/