ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i don't get the logic behind user authentication in php, or other server side languages
isn't it that after the authentication, the script simply redirects the browser to another page/site? why not type the site on the address box... right?
sorry if this is a foolish question, but i am just wondering...
What I normally do is use session variables to initiate a state-ful connection with specific users. This requires that I place session_start() at the top of each PHP file. With this, I can require that the user have a cookie on their machine to access every page except for the login page. This prevents them from typing in the URL to get to any other pages.
if that is the case then, it wont be totally secure afterall. if the cookie remains on the client's hard disk, then he still has full access to any page without undergoing the login process.
In the first case that I described, the cookie would be valid for as long as the browser was not shut down. If you shut down the browser, you would then have to login again.
Another option is to manually set a cookie, which would allow you to have it expire after 15 minutes, (arbitrary time), so that you could force users to login if their session was idle for more than 15 minutes. This would require that you refresh the cookie at each page though. The following URL is a good resource.
Also, isn't there a way to configure the session so that it doesn't use a cookie? Instead, it automatically appends a session ID to the list of query string variables. It's been awhile since I've played with my PHP configuration, but I seem to remember something about that.
I think that's what the 'session_start()' does when included at the beginning of each page. It does have to set a cookie though, but its done automatically, all taken care with no further interaction. I don't know how to force a session to expire on its own using that method though. In the past, when using that method, I have set a session variable to some pre-defined value to indicate logged in, and when the user logs out, the variable is set to a value not like the previous one. I would not be the expert, just some of my experience.
i'm new to php programming and never use the cookies before, what actually the cookies does? only used for user authentication or got any other functions?
do we really need to use cookies? can i use the cookies for passing value?
Originally posted by w0000422 i'm new to php programming and never use the cookies before, what actually the cookies does? only used for user authentication or got any other functions?
do we really need to use cookies? can i use the cookies for passing value?
ck
Cookies are a great way to *hide* pieces of information so you don't have to manually keep track of them.
Usually it's authentication info, but you could also use it for, say, keeping track of user settings/preferences. It's especially nice since you can make it so they stay for long terms. So when a user returns after a few days to your site, the site will remember him/her, etc.
Ofcourse you could also use them for more evil purposes
isn't it that after the authentication, the script simply redirects the browser to another page/site? why not type the site on the address box... right?
Most of my secured pages (php) will look for the cookie on the users machine first, if the cookie is not found it does a redirect to a login page. Therefore it never loads the page if a user types the address in, or has it bookmarked, UNLESS they have the cookie that I sent them on their machine.
For instance:
if (!$authenticated_cookie) {
header ("HTTP 302 Redirect");
header("location: login.php");
}
It's not just about redirecting the pages.
The server side script sets some values into
either cookies or appends something to url.
This lets you access the redirected page/Web Site.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.