Best way to authenticate

Anon

In my database system I currently use PHP4 Session Management, storing the username and password as session variables and then authenticating them in my MySQL database at each page. Is this system acceptably secure? Should I be using HTTP authentication instead?

setic

Rather than running the userid and password past mysql at each page, you should do this once in the login page and if successful register a session var like user_in = 'true'. Then check for this var in your secure pages:

if (!$HTTP_SESSION_VARS['user_in']) {

header ('Location: nogoodnik.php');

}

More secure and efficient.

setic

Anon

If I did it this way any joy shmoe cracker could then just create a cookie with a user name and user_in='true' and modify my database though couldn't he? At least with my original method one HAD to know the password to get access to anything.

brandonschnell

basic http auth is a dog, use sessions.

setic has got it right but look at the below link for a way around the cookies hack:

http://www.phpbuilder.com/columns/tim20000505.php3

Anon

You could also request the proper type of variable. Remember, GET, POST, Enviroment and Cookie? There is usualy an order to those in your system. just request the variable that you need to get.

setic

No. Notice how I fully scoped the session var ($HTTP_SESSION_VARS['user_in'])? PHP will not look for this variable on the client's machine, but rather the system registry on the server. Thus it's pretty damn hard for a hacker to mimic these vars.

If you have multiple users with their own private accounts, obviously you'll have to include some more logic to keep the individual accounts secure.

setic

Anon

Thanks for the link man, by far the best suggestion yet! I made a version of those functions using PHP4 sessions and it's all good. Thanks!