h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

Hi,

I'm implementing 'users' on a site, including a login and logout process. Couldn't find existing scripts though so I'm writing from scratch. Can I have some help with the concept though.

Currently, it works like this. The 'users' table in database has fields for 'id', 'password' and 'sessionid'. The login process created a random sessionid, and stores this and the id in a local cookie, which is read by each page. The logout process simply deletes the cookie and session id in database.

However, if you login on one browser, and then login on another browser, the cookie from the first browser becomes invalid...

A fix for this, or am I going about it all the wrong way?

I've not really found a need to store the session id in a table. Usually I just have the userID, the userName and the userPassword.
The user logs in, the script checks it's them and then sets a session variable or cookie with their ID/preferences/whatever in it.

What languages/technologies are you using by the way? I've found the method changes with different languages.

If you don't have a sessionid, how can you check it's them on subsequent pages?

Using PHP/MySQL

You use session variables, they work like global variables sort of thing. You call them up using something like:

$userID = $_SESSION{'userID'};

Setting them is a little more tricky as it has to be done before any headers are parsed out.

Here's some scripts that work for me...


the login page.....
this takes in from another form the login name and password, $userNick and $userPass, it then runs a check against the database to see if there is a match, if there is it grabs the details from the database and assigns them to hidden form inputs and then posts them to the login script. If there isn't a match, it says so.

<?php

$userNick = trim($userNick);
$userPass = trim($userPass);

include ("./common_db.inc");

$link_id = db_connect();

$result = mysql_query("SELECT * FROM userdesc WHERE userNick = '$userNick' AND pass = '$userPass'", $link_id);

while($query_data = mysql_fetch_row($result)) {
$userNum = $query_data[0];
$userName = $query_data[1];
$userNick = $query_data[2];
$userAddy = $query_data[3];
$userTele = $query_data[4];
$userEmail = $query_data[5];
$userSkin = $query_data[6];
$userPass = $query_data[7];
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "document.login.submit();";
echo "";
}

echo "";
echo "It would appear that your login was unsuccessful, please try again.";
echo "";

echo "";

?>



the setSession.php page....
This uses the session_start() thingy to make sure this is done in the headers section, it then registers the users details as session vaiables before redirecting the browsers to the front page of the site.

<?php

session_start();
session_register("userNum");
session_register("userName");
session_register("userNick");
session_register("userAddy");
session_register("userTele");
session_register("userEmail");
session_register("userSkin");
session_register("userPass");

echo "";
echo "";
echo "";

echo "";

echo "";
echo "document.location='front.php';";
echo "";

echo "";
echo "";

?>


and this bit from the top of the front page shows the variables being accessed....
first off you have to say that you're going to be using the variables, and it's always a good idea to keep it in seperate <?php ?> tags, then you can just use the information stored in them as you would any other variable.

<?php

session_start();
session_register("userNick");
session_register("userSkin");

?>

<?php

echo " \n";
echo " \n";
echo " \n";




hope that helps

Interesting.

I have something like this for login.php:

<form action="<?=$PHP_SELF?>" method="get">
User ID:
Password:



if ($login=="SUBMIT") {
$result = @mysql_query("SELECT password FROM users WHERE (id='$userid');");

if ( $row = mysql_fetch_array($result) ) {
$actualpass = $row["password"];
}

if ($password == $actualpass) {

$curdate = time();
$sessionid = $curdate;
if (@mysql_query("UPDATE users SET sessionid='$sessionid' WHERE id='$userid;'")) {
}


<?php
echo ("the_cookie = \"login=user:" . $userid . ",id:" . $curdate . "\";");
?>
document.cookie = the_cookie;

<?php
}
else {
echo("login failed");
}
?>


Thoughts?

just add my two cents, I developed a perl/MySQL login users system.

When you register, all the usernames and passwords are MD5ed, the MD5 version of the username is used as an id, when they log in, it's Babled (encripted) again this time two way and set as the cookie, then each page checks the cookie and sets up a hash array from the users database, based on the id. simple.

-- DoctorMO --

The session ID should only be valid for the session. Switch browsers, and you have different session by definition. That's the way it works at large, and I doubt your users will expect to still be logged in when they switch browsers. Personally I would find that disconcerting and confusing - I often use separate browsers to log in with different user ids or not log in at all in one, and I think you'll find lots of people do that even here on h2g2.

Ack!

Some of the things that have been posted in this thread are really REALLY bad security practice and vulnerable to spoofing or man in the middle attacks. If you want to do it right, visit Merlyn's tutorial on cookies and session IDs . Merlyn is Randal L. Schwartz that co-authored "Programming Perl" so rest assured he knows what he's talking about.

The examples are in Perl but could easily be converted to PHP.

We never said they were perfect, we said they worked! Excuse us for not being omnipotent like some people seem to think they are!

Bad security only if you know someone is going to be hacking it.

-- DoctorMO --

Is it best for the login script to call the same php page as itself (ie like mine does), or call a seperate page (front page maybe)? I notice that many sites (like h2g2 and many a BB system) send you to a blankish page where you have to wait to be redirected...

Also, should you set the cookie using javascript (has the advantage of being able to do so anywhere on page) or using the php-header system (where it has to be sent with the http headers)?

The basic premis of what I want to do should be quite simple.

I have a database of userids, passwords and names.

I want every page of the site to be able to recognise the userid of the person currently visiting the site. The page will then be able to look up the userid in the database and do things like display their name/check permissions/and so on.

However, obviously it would be a bit silly to simply store the userid in a cookie, as you could just fake it to make yourself appear to be anybody. So, we want the user to be able to login with their password, and then either store the cookie permanently (until they logout) or temporarily (ie the 'remember me?' checkbox).

What's the best practise for achieving this?

(apologies if i've repeated myself).

Session variables are good, it's how you choose to set them that is up to you.

Using any page that is called by a link suck as /login.php?username=bob&password=mable is bad as it allows people to see the login stuff. Same as having an obvious include like main.php?page=this.php as people can then substitute it for their own scripts. The thing to worry about in the real world out of college text books is, is someone really going to bother to hack your site. If you think they are, then worry about security, if you think they aren't then don't worry so much.
I know the guy who designed the security systems for BT, and now makes his living designing internet security, and in his words "Why on earth would someone want to bother?" You've got to think about why someone would want into your site to wonder about hte level of security you need. And to be fair, if they *really* wanted in, they'd get in. Regardless of what measures you put in place. Just ignore the script kiddies who take a chunk of code out of a lecture and use it for malicious purposes, they've no interest in the majority of sites. Consider how many sites there are on the 'net, and what sort of kudos would they get for hacking yours. If it's none, then don't bother too much.

The reason some pages seem to pass you onto a holding page which then redirects you off, is that they use that page to send through the log in information in the page headers, which if you remember have to be sent out before the rest of the page. so, they take hte information in the form, then the next page logs it in in the headers, and then redirects you to a page with output after the headers.

food for thought anyway...

-- DoctorMO --

I don't think I'm omnipotent.

I hae an idea anyway. If you log in, and there is already a session variable present (ie you haven't logged out), then it stores a cookie with the same variable. That way, you can log in from more than one place. If anybody logs out though, all the cookies are invalid and you have to log in again with all browsers.

I apologise. I should have just put forth a friendly suggestion. I guess I reacted the way I did because it doesn't say anywhere in the thread that you know that some of the methods that were posted are not all that secure.

Again, I'm sorry.

Hey, I was having a sh*tty day so was probably more abrupt than normal

You're idea might work, although personally I would still find it disorienting, confusing, and ultimately frustrating to be logged in on a browser I hadn't been using before. But one question - how do you find out that the second browser is being used by the same person without asking for the username again (essentially logging in again)?

You would also have to attempt to prevent abuse by tracking things like ip numbers, so you would know if someone tried to use a different browser from a different computer they might not be the same person. Even numerically close ip numbers could be miles apart in RL.