hi,

i don't get the logic behind user authentication in php, or other server side languages

isn't it that after the authentication, the script simply redirects the browser to another page/site? why not type the site on the address box... right?

sorry if this is a foolish question, but i am just wondering...

opinions are highly appreciated...

thanks

What I normally do is use session variables to initiate a state-ful connection with specific users. This requires that I place session_start() at the top of each PHP file. With this, I can require that the user have a cookie on their machine to access every page except for the login page. This prevents them from typing in the URL to get to any other pages.

Josh

if that is the case then, it wont be totally secure afterall. if the cookie remains on the client's hard disk, then he still has full access to any page without undergoing the login process.

is there a way of eliminating this scenario?

In the first case that I described, the cookie would be valid for as long as the browser was not shut down. If you shut down the browser, you would then have to login again.

Another option is to manually set a cookie, which would allow you to have it expire after 15 minutes, (arbitrary time), so that you could force users to login if their session was idle for more than 15 minutes. This would require that you refresh the cookie at each page though. The following URL is a good resource.

http://www.php.net/manual/en/function.setcookie.php

Josh

Also, isn't there a way to configure the session so that it doesn't use a cookie? Instead, it automatically appends a session ID to the list of query string variables. It's been awhile since I've played with my PHP configuration, but I seem to remember something about that.

I think that's what the 'session_start()' does when included at the beginning of each page. It does have to set a cookie though, but its done automatically, all taken care with no further interaction. I don't know how to force a session to expire on its own using that method though. In the past, when using that method, I have set a session variable to some pre-defined value to indicate logged in, and when the user logs out, the variable is set to a value not like the previous one. I would not be the expert, just some of my experience.

Josh

i'm new to php programming and never use the cookies before, what actually the cookies does? only used for user authentication or got any other functions?

do we really need to use cookies? can i use the cookies for passing value?

ck

Cookies are a great way to *hide* pieces of information so you don't have to manually keep track of them.

Usually it's authentication info, but you could also use it for, say, keeping track of user settings/preferences. It's especially nice since you can make it so they stay for long terms. So when a user returns after a few days to your site, the site will remember him/her, etc.

Ofcourse you could also use them for more evil purposes

Hope this helps...

ic, what a wonderful method to protect my confidential information...thks man!
i will try to learn more abt cookies...

ck

Most of my secured pages (php) will look for the cookie on the users machine first, if the cookie is not found it does a redirect to a login page. Therefore it never loads the page if a user types the address in, or has it bookmarked, UNLESS they have the cookie that I sent them on their machine.

For instance:
if (!$authenticated_cookie) {
header ("HTTP 302 Redirect");
header("location: login.php");
}

This is just one way of securing a page.

Hello!

It's not just about redirecting the pages.
The server side script sets some values into
either cookies or appends something to url.
This lets you access the redirected page/Web Site.

Is that OK?