PHP: Best way to authenticate users?

Locked
User avatar
Foo
Posts: 13840
Joined: Thu Aug 03, 2000 7:00 am
Location: New Zealand

PHP: Best way to authenticate users?

Post by Foo »

Hope this PHP shows up ok on the forum.

Anyway... I'm trying embed a script to handle authentication into my pages... so far I've come up with this system below which does work, but I have no idea if it's secure or if there's a pre-wrapped system for this, or even a totally different way of doing it.

The idea is this code is embedded in every single page of the site (in the header.php file added to each) and will ensure that no matter what page a user is on, they are authenticated every time.

Note: several functions not shown here, such as error() and Encrypt(). Also database operations are handled by an object, Database().

Any thoughts?

Code: Select all

#Login box
if ( !isset( $_SESSION['UserID'] ) ) //If not logged in yet
{
	//----------------------------------------------------------
	//Things to do in Denver when you're logged out
	//----------------------------------------------------------
	if ( !ISSET( $_GET['Login'] ) ) //If not trying to log in yet
	{
		print "
			<form action='?Login=True' method='POST'>
				Username: <input type='text' name='username' /><br>
				Password: <input type='password' name='password' /><br>
				<Input Type='Submit' Value='Log In' />
			</form>
		";
	} else { //If in the process of logging on
		$AttemptUsername = $_POST['username'];
		$AttemptPassword = $_POST['password'];
		$Database->Query( "SELECT * FROM Account WHERE Name = '$AttemptUsername'" ); //take a look for the username
		if ( $Database->NumRows() ) //if that username even exists
		{
			$DBRow = $Database->GetRow();
			$ActualPW = $DBRow['Password'];
			if ( crypt( md5( $AttemptPassword ) , md5( $AttemptPassword ) ) == $ActualPW ) //If password matches
			{
				$_SESSION['UserID'] = $DBRow['ID'];
				$_SESSION['Username'] = $DBRow['Name'];
				print "You have succesfully logged in as " . $_SESSION['Username'];
			} else {
				Error( 3 , "Login -> Invalid Password");
			}
		} else {
			Error( 2 , "Login -> Invalid Username");
		}
	}
} else {
	//----------------------------------------------------------
	//Things to do in Denver when you're logged in
	//----------------------------------------------------------
	if ( !ISSET( $_GET['Logout'] ) ) //If not trying to log out
	{
		print "Currently logged in as " . $_SESSION['Username'] . "<br>\n";
		print "<a href='?Logout=True'>Log Out</a>";
	} else { //If trying to log out
		unset( $_SESSION['UserID'] );
		print "You have now logged out, " . $_SESSION['Username'];
		unset( $_SESSION['Username'] );
	}
}
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
Top
ilum0s
Posts: 84
Joined: Wed Feb 16, 2005 11:31 am

Post by ilum0s »

Yeah, the theory is secure, but session IDs can be stolen, so you may want to check the user's IP or hostname as well.

It's a tricky problem, and it's taken me some time to come up with a system that just about works using cookies and sessions. I'll post it here later.
Top
Locked

Return to “Technology & Troubleshooting”