NewsForumsCodeLogsGallerySpecsSearch

HTML/PHP Login Session?

Community Forums/General Help/HTML/PHP Login Session?

Chroma(Posted 2011) [#1]
I've been working on my new website and I'd like to have a way for people to login. Anyone know how this is done and how to put a time limit on it so it will log you out automatically?


degac(Posted 2011) [#2]
The best solution is to store in a database SessionID() & time-of-login of each user: every x-time a script on the server (or a new action from each user) check the active-users registered, and delete the ones that have an 'inactivity' time higher than a X (ie: 5 minutes).
So you need PHP+MySql to do the job: with google you can find some examples.

Cheers


ima747(Posted 2011) [#3]
alternatively, or in addition you can use cookies to store a sessionID, or login credentials (remember to encode them in some way...) etc. cookies have an expiration attached to them, so the client should auto handle that. you can also easily reference them from any language (i.e. javascript in the page itself or php/perl on the server, etc.) so it's handy for moving things between levels of your site's code. If security is critical though the session should be managed on the server an not exposed, if it's a simple forum and you just don't care about locking everything down then you might be able to skirt by with just cookies... sanity check your decisions if security is of any concern at all though (e.g. once someone's issued a session ID, does that act as a temporary login/password or are the extra layers, such as IP limiting that go along with that...)

Logins lead to passwords and passwords are the front door of the security headache machine :0)


Leon Brown(Posted 2011) [#4]
When using login sessions, you should make sure your website is secured against session hijacking - this is a trick that people can use to sign into someone else's account without the need to use the login details. Read about it here:

http://en.wikipedia.org/wiki/Session_hijacking

You can easily protect against it by generating a unique key based on the login time and user ID stored as part of the login check - the login time is variable and so someone using session hijacking wouldn't be able to replicate it.


Yahfree(Posted 2011) [#5]
Like everyone else said. Just make sure to hash your session information.

Additionally, if you're having a hard time handcoding it, you can save time with a open source user management system. I like UserCake because it's open source and it's very minimal, so I can hand code it for my own purposes:

http://usercake.com/index.php