Can someone give me a small tutorial on how to write a Login/Logout system in PHP/MYSQL? My main problem is probably going to be letting that computer know that you're still logged on from page to page, and how to keep people from logging in as you by simply typing a URL with your variables in it...
Use cookies.
Just google "PHP with cookies"...there are quite a few excellent tuts.
Cookie bad
Sessions good
When a page is executed, check for the variable $sid. If it's set, then get related data from the DB. If not, create a new sid. On each link/form on the page, add the sid to the link.
Code:
if ( isset($sid) )
{
$sql = "SELECT * FROM data_table
WHERE sid = '$sid'";
$result = mysql_query( $sql );
// Blah blah, do stuff with results
}
else
{
$sid = md5( (double) microtime() . $REMOTE_ADDR . uniqid(rand(101010101, 999999999)) );
}
// ...
echo '<a href="' . append_sid( 'page.php' ) . '">page</a>';
function append_sid
{
// puts the sid on the end of the link (will put ? mark if needed, or &
}
Cookies bad? Why. I'm discussing this with PJ right now. Cookies are simpler, and they work.
Sorry, Zack. But I'm gonna have to go with Oracle on the actual routine to check if you're logged in or not.
Oracle, could you tell me what's supposed to go in that function?
be sure to encrypt your passwords to prevent hackers, and you should be fine. PHP should have a function for this, crypt (look it up at php.net).
as for general security, if the data is that desirable to hack, or it's that important, make your login system issue session ids that are located in tables containing the date and time, and force the user to log in again if the session isn't updated for 15 minutes. I think PHP also has some session functions, though I don't know it well enough to name them. And for even more security, set your cookies expiration to 0 so it'll expire when the browser closes.
Of course, I don't think anyone's going to be hacking your site if it has basic cookie security, though.
Yup, Toonski. I've got hte passwords in md5 encryption.
Oracle again: Actually, could you re-explain that to me, assuming I have NO knowledge on sessions? Which I don't?
Well, I figured it out, but one more thing...
I need to know where I can place my login.php and logout.php files. I need them to be excecuted before the page is actually displayed. Is there a way I can tell the login and logout files to run and THEN load the pages?
Yep.
Add that in the <head> part of login.php/logout.php.
Code:
<meta http-equiv="refresh" content="5;URL=http://www.thegeekery.org/">
The "5" indicates a 5 seconds delay before redirecting (can be changed at will), and the URL part is the url to redirect to.
Quote:Cookie bad
Sessions good
Huh?
Cookies good! Mmmmm cookies... ;-)
Sessions bad! Can't eat sessions.