I have a small family only website. My index.php has a login form with a remember me feature. If.. a member has a valid cookie set I would like my index.php to show one form (essentially a "click here to enter our site"). If there is no valid cookie to show another form (my login form).
It seems to me that this should be possible.. sadly I have not the skills to implement it.
If, this is easy (or possible?)... can someone please show me how?
That would be quite insecure. Cookies are quite trivial to edit, and someone could easily edit their cookie to say 'you have been hacked!' and your authentication system would let them pass.
What you want to do is create a session system that gives the user a session id, then you can just check if a session variable is properly set from page to page to see if they've been authenticated, for this you can take a look at php's built in session system. If you don't want or need a full session system you can easily implement a basic authentication system that works the same. The user authenticates, if valid a cookie is sent to the user with a session id, the session id is then saved in a database table, the index.php then will read the cookie, sanitize the session id and then check it with a list from the database to see if its valid. Be sure to trim the session id table from time to time (aka timing out a user) so that the table isn't filled with outdated id's. The session id is preferably something unique, long, random, and collision resistant, so an md5 hashed string composed of the users agent, current time and a random string or something similar.
Last edited by Jarrod1937; 01-15-2011 at 09:29 PM.
I "think" my site is reasonably secure, the index login form does a <form action="../pages/home.php" method="post"> Home.php (and all pages) require login.php. (a flat database of users)
Recently the "remember me" was added. Previously there was only a session (?) that kept the user logged in until the browser was closed.
My problem now.. is if a user checked the "remember me" he can enter the site without logging in.. this is what I want but the index.php still brings up the log in form. One solution would be to advise the users to bookmark a page of their choice but I would like to have my index.php differentiate between not remembered (or logged out) and those that have elected to be remembered.
Simply place that within your else block and it will redirect the user to that page. Keep in mind though that http headers have to be sent before any screen output, so that redirect has to occur before you echo anything out to the screen.
Thanks Jarrod1937... but I can not seem to make this work for me.. so for the moment I am giving up. I think the part about being sent before any screen output is messing me up, but I can not seem to resolve it.