Simplest way that is also quite safe:
Create "sessions" table (user_id, session_key, last_action_datetime). When
a user logs in, you create a sessionkey (40 character random string will
do) and store a row in the database table. You also set a cookie with the
session key and make sure you use path=/, so it is returned to the server
on all requests.
When a user comes to the site, you always run a procedure (set up a
trace?) to check for the cookie and the validity of the key found and
update the session table with the current date and time. Unless ofcourse
the date and time found was smaller then (current_date - session_timeout).
And you display a timeout screen, and delete the row and the cookie.
(path!)
After a succesfull authentication you set a global variable with the user
id or a value like -1 if it is not a valid user. Now your script can use
this variable to know who is logged in or not.
When a user logs out, simply delete the row and the cookie. You may also
want to set op a process that at intervals clears out the session table
for session that timed out.
If you want a persistant login ("remember me"), you can add another column
to your users table that holds another random string, also set in a cookie
but this cookie is never deleted and set to never expire. You can check
for this one if there is no real session key, but be sure to note it's use
in another global variable so scripts can tell if this really isn't secure
enough for the action they want to perform.
If security is not a security issue at all, you could just go for the key
in the users table and write that to a cookie when they log in with the
correct answer and forget about the sessions table.
Hope that helps,
Bas.
Brian Fenton said:
> Jeremy,
> Why re-invent the wheel? OpenACS already does this and much more and
> it's all open source. Take a look at www.openacs.org for more code than
> you can shake a stick at!
>
> Brian
>
> -----Original Message-----
> From: Jeremy Cowgar [mailto:[EMAIL PROTECTED]
> Sent: 15 March 2003 16:01
> To: [EMAIL PROTECTED]
> Subject: [AOLSERVER] Best way for user authentication?
>
> Please forgive my ignorance,
>
> But can someone point me in a direction for user authentication with AOL
> server? I understand two methods, but not certain how to make it all
> glue together.
>
> The first method I know is http authentication which will pop up a
> dialog box
> and ask the user for their information. I would like to try to avoid
> this because it's not quite as user friendly as having a login form.
>
> The second method is using cookies. I can handle this, but ensuring that
> the cookie is read for all .adp requests, that it is available in all my
> tcl methods, in the included adp_ files, etc... that is confusing me a
> little.
>
> I am certian their are other ways as well.
>
> Can anyone give me a little info or point me to an information source on
> this
> subject?
>
> Thanks,
>
> Jeremy
>
>
>
> I. To remove yourself from this list:
>
> Send a message to "[EMAIL PROTECTED]" with the following text
> in the BODY of your message:
>
> signoff aolserver
>
> II. For a complete list of listserv options please visit:
>
> http://listserv.aol.com/
>
> III. For more AOLserver information please visit:
>
> http://www.aolserver.com/
>
>
> --
> AOLserver - http://www.aolserver.com/
> To Remove yourself from this list:
> http://www.aolserver.com/listserv.html List information and options:
> http://listserv.aol.com/
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list: http://www.aolserver.com/listserv.html
List information and options: http://listserv.aol.com/
