Re: the "correct" way to login.

HTTP auth is bad for several reasons.

1) The user/pass is submitted upon each request to the page.

2) There is no way to control how long a session lasts (auto-logout after a
certain time)

3) There is no way to end the session explicitly (logout button)

4) There is built-in session support in PHP4. Use it. =)

When I build applications that require a login, I have each file include a
"common.inc" file that contains shared (global) variables and functions. It
also forces a login...

<?php

//
// common.inc
//

// set global variables
...

// initialize session (8hr auto-expire)
session_set_cookie_params(28800);
session_start();
session_register("ses_user");
session_register("ses_pass");

// $username and $password are passed via POST from a login form
if (isset($username))
$ses_user = $username;
if (isset($password))
$ses_pass = $password;

// allow for logout if $logout is set via GET or POST
if (isset($logout)) {
unset($ses_user);
unset($ses_pass);
session_destroy();
session_unset();
}

// if unauthorized, allow for login
if ( ($ses_user) && ($ses_pass) ) {
// check user/pass against database, .htaccess file, etc.
...
// if user/pass is valid,
define("USER_AUTHORIZED", 1);
}

if (!defined("USER_AUTHORIZED")) {
// redirect or print login form via include();
...
}

?>

----- Original Message -----
From: "Dan Wilson" <phpPgAdmin(at)acucore(dot)com>
To: "[PHP] PostgreSQL" <pgsql-php(at)postgresql(dot)org>
Sent: Thursday, March 15, 2001 10:31 AM
Subject: Re: [PHP] the "correct" way to login.

I've had problems with this solution. I had to switch phpPgAdmin from
HTTP-Auth to a standard HTML form because of problems running it on a
non-apache server.

Just an FYI.

-Dan

: I use this solution too, in order to authenticate my users....
:
: My users/password table is into a PostgreSQL database.
:
: Cassio.
: ----- Original Message -----
: From: "Andrew Hammond" <drew(at)waugh(dot)econ(dot)queensu(dot)ca>
: To: "[PHP] PostgreSQL" <pgsql-php(at)postgresql(dot)org>
: Sent: Thursday, March 15, 2001 7:37 AM
: Subject: [PHP] the "correct" way to login.
:
:
: > On Wed, Mar 14, 2001 at 02:39:28AM +0100, Christian Marschalek wrote:
: > > > Horrible idea!! Even with an encrypted password. Use PHP
: > > > sessions, and save
: > > > any info on the session (this is saved on a temp file on the
: > > > server, and only
: > > > the session handle is passed to the browser).
: >
: > The HTTP protocol provides userid/password based authentication.
: > Using cookies or hidden variables in a form while a popular
: > approach is not the correct way to do this. Furthermore, a lot
: > of people out there surf through a junk filter which will
: > probably not let your cookie through. Mine certainly won't.
: >
: > The solution is to use the HTTP auth stuff. You can do this
: > either using apache's Require dirrective at the server layer or
: > dirrectly in your scripts.
: >
: > To do it using apache, you need to edit your httpd.conf or
: > appropriate configuration file and put in something like the
: > following:
: >
: > <Dirrectory /foo>
: > AuthType Digest
: > AuthName "realm foo"
: > AuthUserFile /web/users
: > AuthGroupFile /web/groups
: > Require group admin
: > </Dirrectory>
: >
: > Or you could just put the stuff contained in the Dirrectory
: > stanza into a .htaccess file in the dirrectory you want to
: > restrict access too, however that is inefficient since the
: > .htaccess file needs to be stat'd ever time a page is accessed.
: > It also only allows dirrectory level granularity and it's a pain
: > in the ass to make the 401 message meaningfull. But it's
: > sufficient for many jobs and very fast. The apache approach also
: > supports the digest method giving some transportation security,
: > while the dirrect php approach does not.
: >
: > To do it in your script, dirrectly you need to pay attention
: > to $PHP_AUTH_USER and $PHP_AUTH_PW. For example:
: >
: > if(!isset($PHP_AUTH_USER)) {
: > Header("WWW-Authenticate: Basic realm=\"sis_access\"");
: > Header("HTTP/1.0 401 Unauthorized");
: > include ( 'denied.html' ); // or you could redirrect
: > exit;
: > }
: >
: > Then test the password the same way. Passwords should (obviously)
: > be stored in an encrypted format (MD5 is suitable, or you can just
: > use good old DES crypt). This will provide you with localized
: > security. For transport level security you can either use the
: > digest method for authentication, or if you're really serious, an
: > SSL connection. Of course if you're _really_ serious you're going
: > to be using x509 cert's and public key crypto, not some rinky dink
: > password based system.
: >
: > > > System Administration: It's a dirty job,
: >
: > Then you're doing it wrong.
: >
: > ---------------------------(end of broadcast)---------------------------
: > TIP 4: Don't 'kill -9' the postmaster
: >
:
:
: ---------------------------(end of broadcast)---------------------------
: TIP 5: Have you checked our extensive FAQ?
:
: http://www.postgresql.org/users-lounge/docs/faq.html

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://www.postgresql.org/search.mpl