Oops, just remembered something else; are PHP_AUTH_USER and PHP_AUTH_PW handled at the client side or sent in clear text back to the server for processing ? Basically what I'm doing is once they are set is doing a select from a database like so;
$result=mysql_query("SELECT * FROM users WHERE username='".$_SERVER['PHP_AUTH_USER']."' AND password='".md5($_SERVER['PHP_AUTH_PW'])."'", $dbconn) or die ('Unable to execute query.'); Would this pass both variables in clear text back to the server ? If so would it be better to do this; $result=mysql_query("SELECT * FROM users WHERE md5(username=)'".md5($_SERVER['PHP_AUTH_USER'])."' AND password='".md5($_SERVER['PHP_AUTH_PW'])."'", $dbconn) or die ('Unable to execute query.'); Would this then pass both variables after being hashed with md5 ? Am I barking up the wrong tree ? Or just plain barking ;oD Thanks, Nick > -----Original Message----- > From: Clarkson, Nick > Sent: 18 February 2003 14:36 > To: '[EMAIL PROTECTED]' > Subject: [PHP] Help with authentication 'design' > > > Hi, > > I've searched the archives, bit it's not helping me much purely because > it's not specific PHP code I'm after, but rather help with a login system > design. So far I've got a PHP_AUTH based login which checks against a > MySQL database, and if the user's details are correct it updates the > database with their IP and login time, then creates sessions variables for > their username and security level (for admins, mods etc). However, the > more I read, the more I worry about security, so I want to try and get > this as good as I can possibly get it with security my main concern. What > I hope to achieve is some reusable code. All the tutorials and sample code > I look at say don't use this in a production environment because it's not > secure. When I'm happy with what I've got I'll make the code available, > hopefully this will be a joint effort and any credit will be given. > So far the steps I have are; > > Set $auth to false > Are PHP_AUTH_USER and PHP_AUTH_PW set ? > Yes -> Connect to database > check user/pw exists in database > if they do then set $auth to true > > Is $auth false ? > Yes -> Display login box with header(); > > No -> update database with ip and time > create sessions variables > forward to next page > > I'm after two things; ideas for a better (more comprehensive) design and > potential security holes. Are sessions a bad idea ? Should I store them in > my database ? Is the initial HTTP authentication a bad idea (because of > either security or browser compatability) and can I make the HTTP > authentication more secure ? Should I stick with a regular login form ? Is > checking for a username session variable on each following page enough ? > > Hopefully this is relevant here. > > Thanks, > > Nick > > > > > This private and confidential e-mail has been sent to you by Egg. The Egg group of companies includes Egg Banking plc (registered no. 2999842), Egg Financial Products Ltd (registered no. 3319027) and Egg Investments Ltd (registered no. 3403963) which carries out investment business on behalf of Egg and is regulated by the Financial Services Authority. Registered in England and Wales. Registered offices: 1 Waterhouse Square, 138-142 Holborn, London EC1N 2NA. If you are not the intended recipient of this e-mail and have received it in error, please notify the sender by replying with 'received in error' as the subject and then delete it from your mailbox. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php