[nassau]

my tools are php and mysql.
i want users to be able to log in to a preregistered account. they whould be able to autologin after the first time.

how do i make an optimal login function, how do i keep it secure and prevent users from logging into others accounts?

also, how do i keep the users logged in between reloads?

how is it usually done? do websites save username and password in a $_COOKIE locally on users machine? is this cookie matched between each reload or is it better to use $_SESSION? and if sessions should be used, is it better to use "cookie" sessions or "url" sessions?

all tips on security and ease of use is welcome. my users will have an ID, username and password. IDs and usernames are unique (no two users can have the same one).


thank you

[Gargoyle]

First of all, create your site using $_SESSION (Cookie based is more secure than URL based). Once your site is working, you can then go back and change your login page to store a permanent cookie for automatic logins in the future.

I do not recommend you store unencrypted passwords in cookies. Instead, I would put the username and a hashed password in the cookie, md5 for example.

Ultimately, the security of storing any information on a clients PC comes down to how well they "guard" the PC. Worst case scenario, the entire cookie store could be copied to a usb drive and taken away!

Plenty of examples and info at www.php.net to get you started and we're always here when you have some specific ideas / questions.

Tip: Create a session_init.php file to handle the startup of your session and include it in all your pages. That will make changes easier in the future.

[nassau]

Quote:

Originally Posted by Gargoyle Tip: Create a session_init.php file to handle the startup of your session and include it in all your pages. That will make changes easier in the future.

thanks. would you like to explain this last one a little further?

[drewprops]

Since cookies have to be sent before ANYTHING is outputted to the screen I'm guessing that he means the file containing your session initialization routine would be the first external PHP file referenced by your page(s), likely one of the first lines in your code.

Code:

require ('session_init.php');

[nassau]

is there a reason to put the session initializer in a separate file?

[pmazer]

It helps you keep up the DRY (don't repeat yourself) principle. You should always be abstracting components as much as possible.

[nassau]

i'm well aware of the principle of not repeating things, but i'm assuming it's not neccesary to put it in a separate file. you could just as well keep as a function in eg. globals.php, right?