|
|
Posted by J.O. Aho on 07/28/06 04:01
Flaming Corncob wrote:
> Hello. Don't know if this would be the appropriate group to post this to
> but it does have to do with PHP.
>
> I'm trying to put together a page using PHP to handle and manage the
> logging in/out or accounts, keeping data such as an account ID. Now, I
> have no clue as to how to go about doing this properly as I've never
> tried this before and for all I know I've been going about it all wrong.
> What I need:
>
> 1) Ability for someone to log into the site using an account ID and
> password. I already use MySQL/PHP so this I believe I can handle without
> help.
>
> 2) The ability for the browser to retain this bit of info as a cookie
> (my thinking - assuming this is how it's done on most sites). This info
> would be retained until the user "quit" the browser or the cookie
> expires.
>
> Now I've already played around with cookies and sessions, but nothing
> I've done appears to work correctly. I'm assuming for it to work cookies
> and sessions are used together, not separate like someone suggested to
> me. Are there any samples of code out there that actually work that I
> could look at, or is there someone out there that knows how to go about
> it?
Sessions don't necessarily use a cookie, it can be sent over the URL too.
I do suggest if you use cookies or sessions stored in cookies that you use a
javascript to check if the cookie is enabled and let the user to know that it
needs to be enabled if it's not. As doing this in PHP requires you to create a
cookie on one page and then load another where you test if the cookie is there
or not, while javascript can do this in one page.
At the login script you check the login/pass toward the database, if ok, then
create a cookie and store that the user is logged in in a temp database-table
with the current ip-number.
On all pages where you need to be logged in, you then check if the cookie is
there and that the users ip-number is the same as in the database, this way
it's less risky that someone hijacks the cookie and try to use it, but you
have a problem if the user uses a proxy system where the proxies may have
different ip-number, but the users who are behind a such system are few.
If the checkup fails on something, redirect the user to the login page, if
checkup ok, then just show the page.
I do suggest you take a look at the online manual, it's full of usefull user
comments: http://www.php.net/manual-lookup.php?lang=en&function=setcookie&x=0&y=0
//Aho
[Back to original message]
|