Preserved Topic: user authentication $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12868" title="Pages that link to Preserved Topic: user authentication" rel="nofollow" >Preserved Topic: user authentication\$

Author	Thread
DL-44 Maniac (V) Inmate From: under the bed Insane since: Feb 2000	posted 08-26-2003 00:09 I need a little direction. I am at a stage where I need to require a login for a certain section of a website. I have done a bit of reading, and have managed to confuse myself pretty well. =) What I would like to know is what method(s) you guys would recommend for this. Should I use .htaccess? Should I use a PHP script? If so, which way? I've read about ways with sending headers and using a system generated dialogue, or using html forms, and sessions, etc. I'm not looking to have it done for me, just some suggestions on what direction I should go and why... Thanks =)
mr.maX Maniac (V) Mad Scientist From: Belgrade, Serbia Insane since: Sep 2000	posted 08-26-2003 00:18 For simplicity sake, I recommend .htaccess ...
Slime Lunatic (VI) Mad Scientist From: Massachusetts, USA Insane since: Mar 2000	posted 08-26-2003 00:29 .htaccess is simple and reliable. Plus, it presents the user with a log-in dialog that they might have seen before, so there's no confusion on their part. As for security, I assume that's not acheivable without a secure HTTP connection, but I don't know the details about all that.
DL-44 Maniac (V) Inmate From: under the bed Insane since: Feb 2000	posted 08-26-2003 00:41 I'm not overly concerned with security - we're not dealing with credit card information, or anything sensitive like that. I would like to be somewhat confident that people can't just walk in and screw with the database though... I have a simple .htaccess login setup now. Is there a way with this method to be able to output on the page the username that was used, and for a logout and all that? I don't need that, I am just curious...
mr.maX Maniac (V) Mad Scientist From: Belgrade, Serbia Insane since: Sep 2000	posted 08-26-2003 01:01 Username of currently logged user is stored in "REMOTE_USER" server environmental variable. For example, in PHP you can do the following: <?=$_SERVER["REMOTE_USER"]?> Optionally, PHP provides two special variables for dealing with user authentication ($_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]), but more about them can be found in the manual. The most common way (which doesn't involve any server-side scripting) of logging out is by closing web browser window where password was entered. If you want to provide a "LOGOUT" link (or similar), you'll need to write appropriate server-side script (in PHP, for example).
DL-44 Maniac (V) Inmate From: under the bed Insane since: Feb 2000	posted 08-26-2003 01:05 Thanks Max =)
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 08-26-2003 13:24 on a side note, you shouldn't store the passwords on the server. .htaccess doesn't (it does store crypted() version of them, and compares a crypt() of what the user enters with the stored value). That way, even if someone grabs the database, she still doesn't have an easy go on the passwords (though even a md5 can be broken... in time. there are 4 billion possible md5s. you need an input that produces one. Enjoy waiting?)
DL-44 Maniac (V) Inmate From: under the bed Insane since: Feb 2000	posted 08-26-2003 17:42 The passwords are currently store in a .htpasswd file. Someone suggested that would be the way to do it

Preserved Topic: user authentication\$

Author

Thread

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted 08-26-2003 00:09

I need a little direction.

I am at a stage where I need to require a login for a certain section of a website. I have done a bit of reading, and have managed to confuse myself pretty well. =)

What I would like to know is what method(s) you guys would recommend for this.
Should I use .htaccess?
Should I use a PHP script? If so, which way? I've read about ways with sending headers and using a system generated dialogue, or using html forms, and sessions, etc.

I'm not looking to have it done for me, just some suggestions on what direction I should go and why...

Thanks =)

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted 08-26-2003 00:18

For simplicity sake, I recommend .htaccess ...

Slime
Lunatic (VI) Mad Scientist

From: Massachusetts, USA
Insane since: Mar 2000

posted 08-26-2003 00:29

.htaccess is simple and reliable. Plus, it presents the user with a log-in dialog that they might have seen before, so there's no confusion on their part.

As for security, I assume that's not acheivable without a secure HTTP connection, but I don't know the details about all that.

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted 08-26-2003 00:41

I'm not overly concerned with security - we're not dealing with credit card information, or anything sensitive like that.

I would like to be somewhat confident that people can't just walk in and screw with the database though...

I have a simple .htaccess login setup now.
Is there a way with this method to be able to output on the page the username that was used, and for a logout and all that? I don't need that, I am just curious...

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted 08-26-2003 01:01

Username of currently logged user is stored in "REMOTE_USER" server environmental variable. For example, in PHP you can do the following:

<?=$_SERVER["REMOTE_USER"]?>

Optionally, PHP provides two special variables for dealing with user authentication ($_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]), but more about them can be found in the manual.

The most common way (which doesn't involve any server-side scripting) of logging out is by closing web browser window where password was entered. If you want to provide a "LOGOUT" link (or similar), you'll need to write appropriate server-side script (in PHP, for example).

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted 08-26-2003 01:05

Thanks Max =)

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 08-26-2003 13:24

on a side note, you shouldn't store the passwords on the server.
.htaccess doesn't (it does store crypted() version of them, and compares a crypt() of what the user enters with the stored value).

That way, even if someone grabs the database, she still doesn't have an easy go on the passwords (though even a md5 can be broken... in time. there are 4 billion possible md5s. you need an input that produces one. Enjoy waiting?)

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted 08-26-2003 17:42

The passwords are currently store in a .htpasswd file. Someone suggested that would be the way to do it