: Some people's REMOTE_ADDR changes every time they make a web request...
:
: For example a ISP i use, uses a array of invisible proxys, that change my
IP
: on each request..
Thanks for the advice. That would have been rather embarassing if people
couldn't login! Then is just the session id secure enough? Does anybody
see any problems?
Below is the code I've got worked out and its functioning fine. Any body
notice anything that I should know about? I guess I'm a little paranoid
becuase I'd hate to not get it right and leave the site unsecure.
My code is below. BTW, the Unserialize class uses a built in unserialize
function that turns all the serialized data into object values.
function show_login($err = "") {
$Error["Login"] = $err;
require("include/login.inc");
exit;
}
//phpinfo();
if (empty($sess_id) or !isset($sess_id) or !empty($username)) {
if (empty($username) or !isset($username)) {
## First Login attempt
show_login();
} elseif (!empty($username) or isset($username)) {
$db = new a_DB;
$q = "SELECT * FROM RPW_Users WHERE Username = '$username'";
$db->query($q);
if (!$db->next_record()) {
show_login("Error: Invalid Username or Password. (Rows = 0)");
} elseif ($db->f("Password") != $password) {
print "Password in table = " . $db->f("Password") . "<br>";
print "Password entered = " . $password . "<br>";
show_login("Error: Invalid Username or Password. (Password doesn't match
table)");
} else {
$sess_id = md5(uniqid("antidisestablishmentarianism")); ;
$data["Access"] = $db->f("Access");
$data = addslashes(serialize($data));
$db = new a_DB;
$q = "INSERT INTO RPW_Sessions (sess_id, mdate, session_data) VALUES
('$sess_id', " . time() . ", '$data')";
$db->query($q);
}
}
}
if (!empty($sess_id) or isset($sess_id)) {
$db = new a_DB;
$q = "SELECT * FROM RPW_Sessions WHERE sess_id = '$sess_id'";
$db->query($q);
if ($db->num_rows() == 0) {
show_login("Previous session has expired. Please re-login.");
} else {
$Data = new Unserializable;
$db->next_record();
$Data->unserialize($db->f("session_data"));
$q = "UPDATE RPW_Sessions SET mdate = " . time() . " WHERE sess_id =
'$sess_id'";
$db->query($q);
}
}
: Andrew
: ----- Original Message -----
: From: "Joel Ricker" <[EMAIL PROTECTED]>
: To: <[EMAIL PROTECTED]>
: Sent: Tuesday, September 04, 2001 1:26 AM
: Subject: [PHP] Am I doing this right? (PHP3/Login system)
:
:
: > I'm tring to get a login system going using PHP3 and MySQL. I'll have
two
: > tables -- one containing the username and passwords of each user plus a
: > variable called Access which will hold what other parts of the scripts
: > they'll have access to and another containing the actual logged in
: sessions.
: > I'm trying to do this without using cookies so I'll be passng $sess_id
: > around by get and post.
: >
: > These are my notes of what I'm thinking. Does anybody see any major
: > problems with this?
: >
: > 1. If $sess_id doesn't exist, check for a username/password
combination.
: > a. if username/password exist, check validity
: > i. if not valid, display error message/login
: > b. if username/password doesn't exist
: > i. display login.
: > c. if username/password exist and valid (MySQL table check)
: > i. create session id
: > ii. find REMOTE_ADDR
: > iii. fetch user information (Access, etc).
: > iv. serialize REMOTE_ADDR, userinformation for table
: > v. store session id, serialized information, and timestamp
in
: > sessions table.
: > iv. continue
: > 2. If $sess_id does exist, check table for session information.
: > a. if session exists
: > i. pull serialized data
: > ii. find REMOTE_ADDR and compare to current.
: > !. if not correct, display login
: > iii. update timestamp in session table
: > iv. continue
: > b. if session doesn't exist
: > i. display login.
: >
: > Joel
: >
: >
: > --
: > PHP General Mailing List (http://www.php.net/)
: > To unsubscribe, e-mail: [EMAIL PROTECTED]
: > For additional commands, e-mail: [EMAIL PROTECTED]
: > To contact the list administrators, e-mail: [EMAIL PROTECTED]
: >
: >
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
