tags:

views:

54

answers:

2
Q: 

PHP Password Protection

Hey guys,

I'm making a site and it needs to have user authentication. Currently, I'm using HTTP/Basic Auth for proof of concept/development, but this is not good in production for obvious reasons(ugly, insecure, can't read from mysql db, sucky). So, I know how to do some basic auth stuff, like getting in the username and password, salting it, and matching it against the database, but what I don't know is how to do sessions and making the scripts actually protected(right now index.php is the login page and sends you to startpage.php if you pass, but you could just go straight to startpage.php and you would be "breaking in").

Thanks,
deftonix

A: 

Have a look at this article.

ChristopheD  2009-12-20 18:53:51
With this article's solution, is there not a security hole in registration where the password is sent via POST from register_form.inc.php to register.php? How would this be mitigated if it is indeed, a hole?
deftonix  2009-12-20 19:25:53
Could you explain where the security hole would be. Only a man-in-the-middle attack could be done (theoretically) I think, but the only way to avoid that is simply to switch to https instead of http. If you liked this answer i would appreciate the upvote (it's the up arrow just above the '0' next to this question).
ChristopheD  2009-12-20 22:58:29
A: 

This is a really big question. So I'll just post this screen-cast that goes trough all of that : http://net.tutsplus.com/videos/screencasts/how-to-build-a-login-system-for-a-simple-website/

Jan Hančič  2009-12-20 18:53:56

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases