Secure login?

james_cwy

I am working on a login page that only allows the administrator account to login.

I would like to ask:
What is the best way and most secure way to do this?

At the moment I am just using if $POST['user] == "xxx" and $POST['pwd] == "xxx".
Upon verification, the administrator can access many other pages about 20 pages of php and html.
I feel this is not that good.

I want to change this to a more secure way maybe perhaps using encryption if possible

Please advise. Hope you can provide an example.

Thanks a million

laserlight

It depends on how much security you want.

You could try SSL, or using say, the [man]mcrypt[/man] library to implement an encrypted login system.

You could also rely on a cookie-based or session-based (or both) system.

jackohara

If you're not using a database to store the login and pass, I'd suggest md5()

If you have

$varlog="QWEtr23twesfdv";
$varpas="ADWFeart35t2345";

((both the above are random text/number, do not use, instead make a page to determine what the

<?
$log="Admin";
echo md5($admin);
?>

is, same for password))

It would be more secure than simple plain text as MD5() is, as of now, irreversible

you would then have

if(md5($POST['user])==$varlog and md5($POST['pwd])==$varpas) { login(); }

also, only having a log in to stop people viewing these pages is not a good idea (unless you have a checker on every page to make sure you are logged in, and/or correct admin)

Programs such as IntelliTamper (www.intellitamper.com I believe) can view a file list of any webserver. If your pages aren't protected as said above, you're in trouble =P

Have fun.