help me in making a small user login/password system where users are authenticated by a system. Lets provide session support as well so that the sessions are stored and when the comes to the site he is logged in automatically
Fairly easy, many ways to do it but there are a lot of security implications in any method you take, but for simplicity do this.
Make a users table in MySQL and a session table to store PHPSESSIONID and user ID.
Check the username and password against records in the user table, if they pass, let them log in and add a logged in $_SESSION.
Once logged in, get PHPSESSIONID, write that to a $_COOKIE and set the cookie to expire when you want the user to log out (idle time, remember to update it on page refresh though, or don't add one at all to keep them logged in). Write the session ID to the table along with the user id.
When they visit the site next, if the cookie exists check the session table for their ID and set a $_SESSION for logged in again. Make sure you don't overwrite the PHPSESSIONID because otherwise it will log you out when you refresh.
A very basic system with loads of room for improvement but hopefully you will get what I mean.
Don't store passwords in cookies, and you need to watch out for cookie hijacking that can steal your session ID. You might also want to include IP address and User Agent in the sessions table for additional checks. If a cookie is hijacked, the IP address and user agents might be different, and the user won't log in.
This forces them to log in again, and if they can't, they're probably not the account owner.
aman, I'm not going to write anything because you won't learn anything if I did, you need to understand what it is you're coding and what everything does.
When you visit a site, a cookie is created called PHPSESSID, just write that to a session table along with user ID and IP address and to another cookie so it isn't overwritten. If the new cookie doesn't exist, they're logged out. If it does exist and their session is in the session table, and their IP address is the same, log them in, otherwise, log them out.
It's very, very simple.
Phill, that link wouldn't work..
"Precondition Failed
We're sorry, but we could not fulfill your request for /article/PHP_Login_System_with_Admin_Features/17/60384/"
Reply With Quote
Bookmarks