473,386 Members | 1,798 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > designing a login process for a site

Join Bytes to post your question to a community of 473,386 software developers and data experts.

Designing a Login Process for a site

nathj
938 Expert 512MB
Hi,

I have a quick favour to ask - would someone please check over this concept for me?

Basically I need to generate a login script and while time is on my side I want to invest in writing my own so that I fully understand and can fully control what is going on.

When a visitor applies for membership they assign themselves a password that is hashed and stored in the database. I do not have, nor do I want a remember-me (stay logged in) function, in the days of modern browsers this seems a bit pointless. That aside, I have planned the process for the login and was hoping someone might be able to point out any flaws with it.

At the top of each page is the login form - two text boxes and a button.

1) The user completes the details and clicks 'Login'.

2) The login script stores what page they are currently on.

3) The form is written with the current page as the action and post as the method.

4) I have a file that hashes the password and then checks the database. This file is included at the very top of every page.

5) If the details are correct then they see the page they were on at the start of this process and the login controls are replaced with a link to the members area and certain items on the navigation bar become available. I then store true to $_SESSION['isLoggedIn'].

6) If the details are wrong they go to a page with the controls on a link to request a new password.

I should say that the navigation is controlled by a database and the user details are also stored in a database.

I know that this is a high level of abstraction, even for pseudo code, but does this process flow sound ok?

I would really appreciate some feedback or pointers - pitfalls to avoid, that sort of thing.

Cheers
nathj
Jul 31 '07 #1
10 1939
pbmods
5,821 Expert 4TB
Changed thread title to better describe the problem (did you know that threads whose titles contain three words or less actually get FEWER responses?).
Jul 31 '07 #2
gregerly
192 Expert 100+
Your process seems like it should be fine. The process that I use is:

1. User supplys credentials thru form.
2. Processing script searches the users database for that username and password combination.
3. If the code selects a record then the user exists and is redirected to where ever you want them to go.

if you are submitting to the same page as the form just do a check like:

[PHP]if($_POST['submit']){//the name of the submit button
//login code here
}[/PHP]

Be careful with the use of $_SERVER['PHP_SELF'], some one on this board, I think veloelectric (sorry if I misspelled your name) had a good tutorial about why it's not a great Idea to use PHP_SELF as a form action. Look into that.

Otherwise I think your on the right track.

greg
Aug 1 '07 #3
kovik
1,044 Expert 1GB
I have a quick favour to ask - would someone please check over this concept for me?
Concept and code are very different. You could likely have a huge security hole, but think that since the 'concepts' were correct, the code is as well.

1) The user completes the details and clicks 'Login'.

2) The login script stores what page they are currently on.
The login page...?

3) The form is written with the current page as the action and post as the method.

4) I have a file that hashes the password and then checks the database. This file is included at the very top of every page.
A *file* that hashes the password? That sounds wrong.

5) If the details are correct then they see the page they were on at the start of this process and the login controls are replaced with a link to the members area and certain items on the navigation bar become available. I then store true to $_SESSION['isLoggedIn'].
For security purposes, we prefer to check the user against the database with every page request.

6) If the details are wrong they go to a page with the controls on a link to request a new password.
The "forgot your password" link should be on the original login form in the first place. If they forgot, they likely know before they try to guess.
Aug 1 '07 #4
kovik
1,044 Expert 1GB
[PHP]if($_POST['submit']){//the name of the submit button
//login code here
}[/PHP]
You shouldn't check for the submit button because the button itself is not always submitted. Try doing it in IE6 and pressing "Enter" instead of the button. (I believe it's fixed in IE7, but a lot of people still use IE6).
Aug 1 '07 #5
nathj
938 Expert 512MB
Wow, there's lots to respond to here. This is great.

(Note: I type my reply ijn textpad hence I don't have any quotes in it)

First of all sorry about the title - I can't even remember what it was called now. Thanks for improving it for me.

I wouldn't use $_SERVER{'PHP_SELF'] as the form action, I would use something else to determine what the current page is so that the form could then utilise that.

Volectricity, thanks for pointing out some concerns.

I'm aware that code and concept are different and when I have the code developed I may ask a similar favour here on TSDN to complement my testing procedures.

The login form appears on every page at the very top. Take a look at the site - but remember the login goes no-where and the membership form is currently incomplete as I need to purchase a credit pack for the address search. You should see what I mean by the login items appearing on every page.

As a for a file that hashes the password. This is a poor explanation on my part. There is a class on which there is a function that will hash the password. Does that sound better?

When you say you would check the user against the database on every page - this makes sense as it means the $_SESSION can't be manipulated, would run the full username and password check again?
I will take on board the 'Forgot your password' suggestion though - that's going to improve accessibility.

Okay, I think I've managed to respond to everything listed. Once again I really appreciate the help.

Cheers
nathj
Aug 1 '07 #6
gregerly
192 Expert 100+
You shouldn't check for the submit button because the button itself is not always submitted. Try doing it in IE6 and pressing "Enter" instead of the button. (I believe it's fixed in IE7, but a lot of people still use IE6).
Good call volectricity. You learn something new everyday. I didn't realize that in IE 6 a button had to be clicked to be included. Again, nice call.

Greg
Aug 1 '07 #7
gregerly
192 Expert 100+
Take a look at the site - but remember the login goes no
I think my favorite part about your site is the images you lifted from iStockPhoto.com without removing the watermark! You might want to purchase the images before a live release of your site.
Aug 1 '07 #8
nathj
938 Expert 512MB
I think my favorite part about your site is the images you lifted from iStockPhoto.com without removing the watermark! You might want to purchase the images before a live release of your site.
Thanks for taking a look.

Those images are place holders only. I am currently in talks with a number of design companies and part of the remit is to production/acquistion of images for the site.

I should stil lpay for them I know, it's on the list but hasn't been done yet.

Cheers
nathj

PS I'm not a copyright thief, I give credit for the work of others and I won't be using nicked imanges for the live site.
Aug 1 '07 #9
Originally Posted by gregerly
I think my favorite part about your site is the images you lifted from iStockPhoto.com without removing the watermark! You might want to purchase the images before a live release of your site.

Now that is funny. =o)

Oh just kidding, your site IS actually live though. I dont see much harm in it anyways, I have done comps in the past to show off the work. Which your sitch is similar to my case.




Cheers
Aug 1 '07 #10
pbmods
5,821 Expert 4TB
Sorry, ktdabull. Had to remove politically-sensitive content from your post. It goes against the Posting Guidelines to post that sort of thing.
Aug 1 '07 #11

Sign in to post your reply or Sign up for a free account.

Similar topics

5
ASP.NET v2.0 login control issue with SQL Server 2000
by: RedEye | last post by:
Hello, I am working on a test site to explore the new login controls and membership features of ASP.NET v2.0. I have tested the controls using SQL Express and have now decided to try using a...
ASP.NET
9
nooB PhP login using MySQL
by: Ben | last post by:
Hello, I'll bet this has been asked a million times but I can't seem to find a thread that gives the clear example I need. This PC has MySQL and IIS configured and running. The MySQL database is...
PHP
2
database hangs in MyPHPAdmin/can't login to web site
by: JRough | last post by:
I cannot log into our web site. I have a test web site and a real site. On Friday I could log in and today Monday I cannot log in. I have 2 databases In PHPMyAdmin, the real database and and a...
PHP
2
Unexpected windows login during long operations
by: =?Utf-8?B?d2R1ZGVr?= | last post by:
I have a website using windows integrated security, with anonymous access turned off. The site is used to query orders from a database and when the search takes a long time, a windows login box...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!