Oops, just remembered something else; are PHP_AUTH_USER and PHP_AUTH_PW
handled at the client side or sent in clear text back to the server for
processing ? Basically what I'm doing is once they are set is doing a select
from a database like so;
$result=mysql_query("SELECT * FROM users WHERE
username='".$_SERVER['PHP_AUTH_USER']."' AND
password='".md5($_SERVER['PHP_AUTH_PW'])."'", $dbconn) or die ('Unable to
execute query.');
Would this pass both variables in clear text back to the server ? If so
would it be better to do this;
$result=mysql_query("SELECT * FROM users WHERE
md5(username=)'".md5($_SERVER['PHP_AUTH_USER'])."' AND
password='".md5($_SERVER['PHP_AUTH_PW'])."'", $dbconn) or die ('Unable to
execute query.');
Would this then pass both variables after being hashed with md5 ? Am I
barking up the wrong tree ? Or just plain barking ;oD
Thanks,
Nick
> -----Original Message-----
> From: Clarkson, Nick
> Sent: 18 February 2003 14:36
> To: '[EMAIL PROTECTED]'
> Subject: [PHP] Help with authentication 'design'
>
>
> Hi,
>
> I've searched the archives, bit it's not helping me much purely because
> it's not specific PHP code I'm after, but rather help with a login system
> design. So far I've got a PHP_AUTH based login which checks against a
> MySQL database, and if the user's details are correct it updates the
> database with their IP and login time, then creates sessions variables for
> their username and security level (for admins, mods etc). However, the
> more I read, the more I worry about security, so I want to try and get
> this as good as I can possibly get it with security my main concern. What
> I hope to achieve is some reusable code. All the tutorials and sample code
> I look at say don't use this in a production environment because it's not
> secure. When I'm happy with what I've got I'll make the code available,
> hopefully this will be a joint effort and any credit will be given.
> So far the steps I have are;
>
> Set $auth to false
> Are PHP_AUTH_USER and PHP_AUTH_PW set ?
> Yes -> Connect to database
> check user/pw exists in database
> if they do then set $auth to true
>
> Is $auth false ?
> Yes -> Display login box with header();
>
> No -> update database with ip and time
> create sessions variables
> forward to next page
>
> I'm after two things; ideas for a better (more comprehensive) design and
> potential security holes. Are sessions a bad idea ? Should I store them in
> my database ? Is the initial HTTP authentication a bad idea (because of
> either security or browser compatability) and can I make the HTTP
> authentication more secure ? Should I stick with a regular login form ? Is
> checking for a username session variable on each following page enough ?
>
> Hopefully this is relevant here.
>
> Thanks,
>
> Nick
>
>
>
>
>
This private and confidential e-mail has been sent to you by Egg.
The Egg group of companies includes Egg Banking plc
(registered no. 2999842), Egg Financial Products Ltd (registered
no. 3319027) and Egg Investments Ltd (registered no. 3403963) which
carries out investment business on behalf of Egg and is regulated
by the Financial Services Authority.
Registered in England and Wales. Registered offices: 1 Waterhouse Square,
138-142 Holborn, London EC1N 2NA.
If you are not the intended recipient of this e-mail and have
received it in error, please notify the sender by replying with
'received in error' as the subject and then delete it from your
mailbox.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
