Session and useing password and username question?

Chrysanthus

Hi all

I wounder what is the best solusion of my quest..

My quest! user login and enters a password and sow on...

I have a forum that is not finished but in time it will be.
the thing here is what shoulde i use for qeting the user that makes a post and a verification that he can edit his on post and sow on or delete his on post...

Session i know but how send the username is right but password all over ??? is that good or bad i have now ide..

i have a session defined whenne user login kan i use that to enter mor info on the session file??

// Thansk

thoand

Why not store the unique id (if exists) for the user in the session,
and make sure that this variable is only accessible from session (eg. $_SESSION['uid'] ), I quite sure that this is the safest way to go. You could do som encryption too (SSL) to get the it safe as posible.

this article could help you out:

http://www.phpfreaks.com/tutorials/40/0.php

regards Thomas

Chrysanthus

thanks man! okey ill look at it....

but still i wanna keep track a of the user! can i send that to in the $_SESSION['username'] and ['uid'] that's run a uniq counter that runs numbers and letters..

how do i keep track of the uniq uid in the sigt? make a veribale maybe?

sorry for the stupid questions but im new at php session..??

________

Sessions are a handy tool for storing variables, but the are a common morthod of hackin! So I would not trus the unique id! Store the username and password in the session, but crypt the password - both in your database and in the session. You should NEVER store an uncrypted password!

On every "member page" you run a query on the username and password to check that they are correckt.

Eg.:
-- create and store variables in a session --
session_start();
$SESSION['user'] = $user;
$SESSION['pass'] = crypt($password, "Key");

If you search this board, you will find that there is a lot of discussion whether to use md5() or crypt(). Both methods are good, so choose the one that you like the best!

Remember that crypt can only handle 8 character... In other words, crypt("12345678", "Key") returns the same value as crypt("123456789123456789","Key")

Chrysanthus

one more question? by enctypting password and decryting password back and fortward how do it effect preformans on the computer and on the sight???

You mean like this ?? ...
here is a exampel...

<?
$username=$POST["username"];

$password=$POST["password"];

include ("..///////////////*********.php");

$mysqlcon = "select * from reg_info where username = '$username' and password = '$password';";

$result = mysql_query($mysqlcon) or die("Query failed");

if (mysql_num_rows($result) == '1') {

print "<center><big><big>Welcome $username Please click <a href=\"isloggedin.php\">here to continue to flameline.com</big></big></center>";

$SESSION["IsLoggedIn"] = "1";
$SESSION['username'] = $username;
$SESSION['password'] = crypt or md5($password, "Key");
}

else

{

$SESSION["IsLoggedIn"] = "0";
print "<center><big><big>Sorry, incorrect Password $password. or Nickname $username.</big></big></center>";

print "<center><big>if not a member <a href=\"register.php\">click here to register</big></center>";
}

________

Hi there,
it's not possible to decrypt the password, that why you also must crypt the values in the database.

If you don't want to crypt the password, althoug you should, I would still store the username and password in the session - by trusting a session id your script is easyer to hack!

Är du svensk?😉

Chrysanthus

Sow how do php know whats right or wrong whenne a user register a one password??

do md5 know the password or do i just point on the decrypted value in the mysql??

<SWEDHIS TEXT>
Japp de är jag är ganska ny på php så jag sugger på session och allt annat .. har typ hålt på med php i 2månader okej 3månader tror jag! fast jag lär mig..

________

Just search for the crypted password in your database, eg.:

$user = $POST['user'];
$pass = crypt($POST['pass'], "Key");
// or use md5!
SELECT * FROM database WHERE user='$user' and pass='$pass'

That way, if some one manages to hack your sessions or the database, they will not get access to the passwords!

Important: take a look at the security chapter in the manual. Use the function mysql_escape_string to make the values going into the database safe!

Håper du forstår norsk!
over 200 posts på 3 måneder, det er ikke dårlig!
Det er alltid smart å cryptere passord, for da kan ingne hente ut passord av databasen for å senere logge seg inn. Problemet er hvis du har en "glemt passord" funksjon - det er ikke mulig å dekryptere passordet og sende det til brukeren. Så da må du skrive et script hvor de kan opprette et nytt passord.

Chrysanthus

uhhh jobbigt.... aja får se vad jag gör!!