How to keep trace of the password

@SamKookApr 06.2004

What is th best to keep trace of the password after someone logged to the site. I mean where sould i put the password to take it and check if it’s valid each time a page is loaded.

Exept if you have a better idea.

to post a comment

PHP

22 Comments(s) _↴

@shimonApr 06.2004 — #that rather depends how the password is entered - you could set up some HTTP authentication and then examine the contents of $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] though I do wonder why you would bother, since Apache handles all that for you quite nicely. Anyway here's the relevant manual page:

http://uk.php.net/manual/en/features.http-auth.php

On the other hand, if the username/password are entered thru a form you created, you're going to have to look into cookies and/or proper session handling - how you do this is going to vary depending on your purpose, i guess

@SamKookauthorApr 06.2004 — #I'm not using appache so... what is the most secure way to keep it?

@shimonApr 06.2004 — #not using apache? ahhh

err

if you really need to, i would say store it server-side, in a database or something

you could theoretically stick it into a cookie, but that would probably have security issues

[Edit]

hmm on second thoughts, i would recommend to do it exactly like in the example on that manual page, it's simple and easy and it works ?

@SamKookauthorApr 06.2004 — #How am i supposed to do this if it only work with appache?

@shimonApr 06.2004 — #ah yeah sorry im not concentrating too well today :/

just out of interest, what server software are you using?

@SamKookauthorApr 06.2004 — #Right now i'm usin IIS, but another problem is that I don't know yet what will be the server on the final website.

@SamKookauthorApr 07.2004 — #I'm still wondering if I sould use cookies or database to store the password. What do you think is the best?

@shimonApr 07.2004 — #i wouldnt recommend storing a password in a cookie. As i mention above, i would usually store a unique (and ideally obfuscatedted) identifier in a cookie, and keep everything else to do with the session in a database, at least that way it's only in your hands ?

@SamKookauthorApr 07.2004 — #yeah, it would be better. But do you have an ides how i can recognize wich password is to who if 2 users connect at the same time?

@SamKookauthorApr 07.2004 — #forget my last reply, I decided to make a logged table and deny multiple same user connect.

My only problem now is how can I know if the user is not logged anymore to delete is entry?

@shimonApr 07.2004 — #hmm i think you're maybe trying to make things more complicated than they need to be, you certainly dont need to deny entry to anyone just cos someone else is logged in. Think of it this way:[list=1]

[*] user enters username and password, you check they are correct

[*] if they're incorrect you deny entry. if they're correct you allow them in, which involves:

[*] create a row/record in a table (you could store the datetime of login, for example). Now take the auto_increment insert id of that row and encrypt it, for example using md5() and maybe a random value or something. update the row in the table to store this

[*] set that value as a cookie value

[/list]then at every page request, you dont need to check the password, just check whether the cookie exists and that it refers to a relevant session record

if the user manually logs out, delete the database row, and delete the cookie (you probably also want to set a manual timeout too, for example after 15 minutes of inactivity)

@SamKookauthorApr 07.2004 — #good idea. It would be a lot better then what I was thinking.

Another problem, I have no idea how I can set a timeout.

@shimonApr 07.2004 — #oh that's easy ?

in that there table where we're storing the sessions, add another field, a DATETIME column. call it, say, last_updated

now, every time the user requests a page (so basically at the same time as you're checking for the cookie id and all that stuff), if the request is successful, just update the user's session row each time so that the column is set to 'now()';

then for each request, you can check whether last_updated is within 15 minutes (or however long you want). If it's longer than that, just log the user out (delete the row, delete the cookie) and perhaps explain to the user what happened, just to be polite ?

@SamKookauthorApr 07.2004 — #If he connect to the site, go erase the cookie manually and reconnect to the site, I guess the value with his user ans pass of the first connect won't be erase exept if i check for the dates of all the entries.

Or if he never reconnect, the entry will still be there also.

Is there a way to prevent this exept to erase them mannually or to check for the date of all the entrys each time?

@diamondsApr 07.2004 — #LIKE THIS:

the code is untested:

this could be your login page:

[code=php]<?php
 $loginfailed = false;
 if(isset($_POST['action'])&&($_POST['action']=='login')){
 $password = md5($_POST['password']);
 $username = $_POST['username'];
 include('users.php');
 if(isset($users[$username])&&($users[$username]['password']==$password)){
 setcookie('lib-login[user]',$username,time()+60*60);
 setcookie('lib-login[pass]',$password,time()+60*60);
 header('location: http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/index.php');
 die;
 }else{
 $loginfailed = true;
 }
 }
 ?><html>
 <head>
 <title>Untitled Document</title>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
 <style type="text/css">
 <!--
 td {
 background-color: #EEEEEE;
 }
 input {
 border: 1px inset #404040;
 background-color: #EEEEEE;
 
 }
 -->
 </style>
 </head>
 
 <body onload="document.form1.username.focus();">
 <table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
 <tr>
 <td align="center" valign="middle" style="background-color:white;"><p>
 <?php if($loginfailed){echo 'Not a Valid Username/Password!';}else{echo 'Amasing what 100% pure CSS can do to a webpage...';} ?>
 </p>
 <form name="form1" method="post" action="login.php">
 <table border="0" cellpadding="3">
 <tr> 
 <td colspan="2"><p>Welcome to the Lib</p>
 </td>
 </tr>
 <tr> 
 <td><p>Username</p></td>
 <td> <input name="username" type="text" id="username2" onfocus="this.style.borderColor='#330099';this.style.backgroundColor='#FFFFFF';" onBlur="this.style.borderColor='#EEEEEE';this.style.backgroundColor='#EEEEEE';"> </td>
 </tr>
 <tr> 
 <td>Password</td>
 <td> <input name="password" type="password" id="password" onfocus="this.style.borderColor='#330099';this.style.backgroundColor='#FFFFFF';" onBlur="this.style.borderColor='#EEEEEE';this.style.backgroundColor='#EEEEEE';"> </td>
 </tr>
 <tr align="center"> 
 <td colspan="2"> <input type="submit" name="Submit" value="Submit" style="border: 1px outset #404040;"> 
 <input name="action" type="hidden" id="action" value="login"> </td>
 </tr>
 </table>
 </form>
 </td>
 </tr>
 </table>
 </body>
 </html>
 [/code]

than login.php is this:

[code=php]
 <?php
 $writeable = false;
 if(isset($users[$_COOKIE['lib-login']['user']])&&($users[$_COOKIE['lib-login']['user']]['password']==$_COOKIE['lib-login']['pass'])){
 if($users[$_COOKIE['lib-login']['user']]['perms']['ALL']>=2){
 $writeable = true;
 }else{
 $writeable = false;
 }
 }else{
 header('location: http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/login.php');
 die;
 function logout(){
 setcookie('lib-login[user]',null,1);
 setcookie('lib-login[pass]',null,1);
 setcookie('lib-login',null,1);
 header('location: http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/login.php');
 }
 ?>
 [/code]

include the php page on whatever you want to protect.

notice the passwords are md5() protected. this is more secure whan you encrypt the passwords [B]one way[/B] .

simply call the function logout when you want to log the user out.

it's not done, mabye enough to get you started. if you want to sonnect it to a mysql database, for example...

for more information about md5 (by the way, md5 is part of the PHP core)

goto the docs: [URL]http://php.net/md5[/URL]

@shimonApr 08.2004 — #Well, i guess my point was that you dont need to store the username and passord, and you dont need to go to the effort of comparing them at every page request. But obviously there's always more then one way to do these things ?

@SamKookauthorApr 08.2004 — #I guess, but since I think your way is better and that I have practically finished doing it your way, I think I will stick to your way.

P.S. I think I could have say your way one or two more time in the sentence, but i'm just too lazy to do it.

@SamKookauthorApr 08.2004 — #I got another problem

I try to verify if a date if < than another but with those values : 2004-04-08 10:31:57 < 2004-04-08 9:31:57, it say that 9:31:57 is higher than 10:31:57.

is there a good way to verify if the hour is smaller than another?

@SamKookauthorApr 08.2004 — #Forget it, I was using G and not H

sorry you lost 10 sec of your life to read that

@SamKookauthorApr 08.2004 — #I got a problem ... again

I have to delete a cookie and recreate it after. Since I need to reload to resend the header, I used this function: header("Location:".$_SERVER['PHP_SELF']); , but it doesn't work, cause the cookie is not deleted.

Or can I just overwrite the informations in the cookie?

@SamKookauthorApr 13.2004 — #I resolve the problem in the previous post(i didn't have to resend the header if i delete all the outputs)

Now here is the new problem: I want my function to see variables in the main program. It should be easy, but i'm new to web programming and i'm used to develop classic apps.

Here is the code:

<i>
 </i>&lt;?php
 //Déclaration de variables
 $ID_Login = md5(microtime());
 
 //Déclaration des fonctions
 Function CreerCookie()
 {
 if (setcookie("Login", $ID_Login, time()+60*60*12))//expire dans 12 heures
 {
 $InsertCookie = "INSERT INTO Logged VALUES (
 '".$ID_Login."','','','".Date("Y-m-d H:i:s")."');";
 
 <i>    </i>//Faire un test et effacer le cookie si yé pas entré dans db
 <i>    </i>mysql_query($InsertCookie,$db);
 }
 else
 {
 echo "Une erreur est survenue, assurez-vous que votre navigateur accepte les cookies";
 
 <i>    </i>//Informations de déboggage------------------A effacer
 <i>    </i>echo "&lt;br /&gt;Bou :(  P.S.on devrait pas voir la forme eventuellement";
 }
 }

@SamKookauthorApr 13.2004 — #forget it, i think i'm getting stupider every day.

I just need to pass it to the function.

yé!! my 6st post in a row without any answer.

Also in #PHP _↴

Thanks ..But Design problem: displaying a file to an authorized user only How to run multiple SELECT on checkbox array posting

Success!

Help @SamKook spread the word by sharing this article on Twitter...

Tweet This

How to keep trace of the password

22 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

How to keep trace of the password

22 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

22 Comments(s) _↴

Also in #PHP _↴