Looking For Simple PHP/MySql Login/Session

Oni

Heyas,

I've never had any password protection so far so, I'm rather new to the coding...(I know the process though--)

Anyway, I've been looking for a good tutorial on google and on the search option on these forums for a way to easily have a secure, yet simple register/login/session pages--Explaining tutorial...

If someone can give me a link to a good tutorial explaning this, It'd be greaty appreciated 😉

Also, I will edit the register form so that it carries more information, I'd prefer if the tutorial would just look for username then password in the database and ignore any other columns...

A link would be greatly appreciated--Thanks!! 🙂

Kudose

Check out all the tutorials at http://www.phpfreaks.com or the ones on this very site.

Kudose

Oh yeah, I forgot http://www.zend.com/zend/tut/authentication.php

Zend has some good tutorials too.

Oni

Will look into them,

Thanks!!

Oni

Well, I looked at them and a few others--
Just another thing...None of them had any secure ways to continue the session...

I could do it w/o a cookie but then if the user doesn't close the page, they'll stay logged in...

If I get a cookie with a self delete time of something like 30minutes since last access, then, it would be much better if the user forgets to log out?

EDIT: Can someone give me a link where it explains the creation of the cookie and how to check if the cookie is valid as a header on the beginning of each secure page...

And, if the username is stored in the cookie, then someone could easily edit their cookie to have to username of someone they think is also logged in? So I would have to...put the ip address of the login and it would check if the ip address in the cookie and the ip address accessing the secure site match?? Well, actually now that I think about it again the cookie will have a random session id in it so it would be highly unlikely for an account to be hijacked..

Thanks 😉

Kudose

Sessions are more secure than cookies.

Setup a session array with the sessionid and the IP of the user. Check to make sure they stay the same throughout your site. That's should be pretty secure, not SSL secure ... but a user whould have to spoof a session ID and the matching IP before they could "hijack the session".

Oni

That sounds pretty good, just, how to do it 🙂

I plan on using the following script because It's easy to understand:

http://codewalkers.com/tutorials/32/3.html

A link to the 3rd page, where it creates the session id i believe...The following line in the 3rd code example on the page:

$_SESSION["member_id"] = login($_POST);

I think that's where the session is created and the member_id is used as the backbone of it? So..If I replace that member_id with the ip address variable (Have it somewhere on my comp) then it would be based on the ip address.?

Then, I would have to add a code that would create a session id again by looking at the ip address and compare? (Not sure how to exactly do this part though, the continue session code is on:

http://codewalkers.com/tutorials/82/5.html

Thanks!!

Kudose

//first page 
session_start();
$_SESSION['sid'] = session_id();
$_SESSION['ip'] = (getenv(HTTP_X_FORWARDED_FOR))
    ?  getenv(HTTP_X_FORWARDED_FOR)
    :  getenv(REMOTE_ADDR);


//second page
session_start();
$ip = (getenv(HTTP_X_FORWARDED_FOR))
    ?  getenv(HTTP_X_FORWARDED_FOR)
    :  getenv(REMOTE_ADDR);
if($_SESSION['sid'] !== session_id() || $_SESSION['ip'] !== $ip)
    die('No one likes bad people.');

Is how I would do it ...