Authentication. Thread

At the moment the user logs in and the information is stored in the cookie, however after bug testing edit and deletion of comments I found a few flaws (&status=admin) so I put in a check in the top of the deletion and edit pages to check the cookie by an sql statement.

However! I was wondering if its better to put this statement in the header so every page; whether or not theres a need to check if the users who they are, OR to just have the check on a certain few pages where its really needed.

What Im really wandering is two things. Will this one statement add alot of pressure to the DB (sure I wont get that much visitor wise but I still want the site to be fast and optimized) or to make some kind of $special_you_dont_know_cookie[status] cookie thing.

$query = mysql_query("SELECT uid, username, password, status FROM unz_users WHERE username = '$username' and password = '$password'");
while($login = mysql_fetch_object($query))

if($login > 0) {good} else {bad}

Here is the cookie code which with your help I could improve by adding something onto the $username bit so its not so easy to abuse.

setcookie ("uid", "$login->uid");
setcookie ("username", "$login->username");
setcookie ("password", "$login->password");
setcookie ("status", "$login->status");

Although its not $login->status to call status, its $status unfortunatly :s

certain few. Include it in the header in an if statement:

if ($reqauth = 1){
$query = mysql_query("SELECT uid, username, password, status FROM unz_users WHERE username = '$username' and password = '$password'");
while($login = mysql_fetch_object($query))

if($login > 0) {good} else {bad}
};

then all you do is on the pages where it's needed call header like:

require ("header.php?reqauth=1");

never do that NEVER EVER!!!!!!

Why? well let me log into your site and i'll show you why

Basically anything stored client side should not be trusted, where is there to stop me opening up the status cookie and making myself uber head admin

What you should do is simple

if(isset($_COOKIE['username']))
{
// then check that the username and password are valid,

select username, uid, status from unz_users where username = ... and password = ...

if(user/pass == valid)
{
$user_properties['status'] = what there status is i.e. $result['status']
}
else
{
// show invalid username / password box
}
}
else
{
// user is not logged in so show login box
}

$query = mysql_query("SELECT `uid`, `username`, `password`, `status` FROM `unz_users` WHERE `username` = '$username' and `password` = '$password'");
while($auth = mysql_fetch_object($query))

if($auth == 0)
{setcookie ("username", "guest");
setcookie ("status", "guest");}

Doesnt work perfectly, the status is defined but the username isnt.

Thats cos you should only store username and password in a users cookies NOTHING more...

It is a hard concept to get your head around the first time you do it, but yeah you are kinda doing it all wrong...

basically:

when a user logs in, set cookies

then EVERYTIME they visit a page at the top check if they have cookies set, if they do and they are valid get there permission and put it into some variable

if they are not valid then delete their cookies

get me? there is no need to set cookies are guest?

Remember you must validate a user on every page, there is no if's and buts about it, don't do that and i can guarantee i can hack your code

INtense! wrote: Thats cos you should only store username and password in a users cookies NOTHING more...

Somethimes users connect from public computers where the cockie can be stolen. Passowords in cockies sould be "encoded" in some way, to stop (at least), trivial hackers.

IMHO.

if(isset($_COOKIE['username']))
{$query = mysql_query("SELECT `uid`, `username`, `password`, `status` FROM `unz_users` WHERE `username` = '$username' and `password` = '$password'");
while($auth = mysql_fetch_object($query));

if($_COOKIE['username'] == $auth->username && $_COOKIE['password'] == $auth->password)

{$user_properties['status'] = $auth->status;} 

Is right then according to INtense

$_COOKIE['username'] is wrong, ive tried using it and it doesnt exist so the script doesnt get run. Hence I cant continue til I can get it working, I hate it when this happens.

btw the cookie exists.

@Tei - use the md5(); function for a cheap and dirty encryptionish thing, not actually an encryption (it's just a hash) but still efficient. I think INtense! encrypts the password then hashes the encryption to store it...

>@Tei - use the md5(); function for a cheap and dirty >encryptionish thing, not actually an encryption (it's just a >hash) but still efficient. I think INtense! encrypts the >password then hashes the encryption to store it...

Humm... yes, anyway I dont need that, actually.
Thanks.

I know very littel about Php. I use perl for Apache and javascript for IIS.

- Edited By Tei On Thu 22nd, May 2003 @ 9:02:53pm

if(isset($_COOKIE['username']) && isset($_COOKIE['password']))
{$sql = "SELECT uid,username,password,status FROM unz_users WHERE username = '" . $_COOKIE['username'] . "' AND password = '" . $_COOKIE['password'] . "'";
$query = mysql_query($sql);
$auth = mysql_fetch_object($query);

$user_properties['status'] = $auth->status;}

Perfect finished code, took an hour and a half in #php, jebus it was stressful!

not surprised, #php is a bugger. so many people...

sorted.

- Edited By azz0r On Thu 22nd, May 2003 @ 11:38:37pm