You may want to check out PEAR::LiveUser http://pear.php.net/package-info.php?pacid=126 http://projects.21st-hq.de/liveuser/
A very complete / multilevel authentication package. Get the latest source from CVS as the source on pear site is a bit outdated. olinux --- "Clarkson, Nick" <[EMAIL PROTECTED]> wrote: > > Hi, > > I've searched the archives, bit it's not helping me > much purely because it's > not specific PHP code I'm after, but rather help > with a login system design. > So far I've got a PHP_AUTH based login which checks > against a MySQL > database, and if the user's details are correct it > updates the database with > their IP and login time, then creates sessions > variables for their username > and security level (for admins, mods etc). However, > the more I read, the > more I worry about security, so I want to try and > get this as good as I can > possibly get it with security my main concern. What > I hope to achieve is > some reusable code. All the tutorials and sample > code I look at say don't > use this in a production environment because it's > not secure. When I'm happy > with what I've got I'll make the code available, > hopefully this will be a > joint effort and any credit will be given. > So far the steps I have are; > > Set $auth to false > Are PHP_AUTH_USER and PHP_AUTH_PW set ? > Yes -> Connect to database > check user/pw exists in database > if they do then set $auth to true > > Is $auth false ? > Yes -> Display login box with header(); > > No -> update database with ip and time > create sessions variables > forward to next page > > I'm after two things; ideas for a better (more > comprehensive) design and > potential security holes. Are sessions a bad idea ? > Should I store them in > my database ? Is the initial HTTP authentication a > bad idea (because of > either security or browser compatability) and can I > make the HTTP > authentication more secure ? Should I stick with a > regular login form ? Is > checking for a username session variable on each > following page enough ? > > Hopefully this is relevant here. > > Thanks, > > Nick > > > > > > > > This private and confidential e-mail has been sent > to you by Egg. > The Egg group of companies includes Egg Banking plc > (registered no. 2999842), Egg Financial Products Ltd > (registered > no. 3319027) and Egg Investments Ltd (registered no. > 3403963) which > carries out investment business on behalf of Egg and > is regulated > by the Financial Services Authority. > Registered in England and Wales. Registered offices: > 1 Waterhouse Square, > 138-142 Holborn, London EC1N 2NA. > If you are not the intended recipient of this e-mail > and have > received it in error, please notify the sender by > replying with > 'received in error' as the subject and then delete > it from your > mailbox. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php