PHP Access Script (free guide)

• Previous message: Wes S.: "Re: Encryption of mail addresses"
• Next in thread: Rob: "Re: PHP Access Script (free guide)"
• Reply: Rob: "Re: PHP Access Script (free guide)"
• Reply: Rob: "Re: PHP Access Script (free guide)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 8 Oct 2004 12:45:07 +0800

hi, i hope these code works for you. before you begin, it would be great if
you have a basic understanding of SQL and PHP.

### LOGIN SCRIPT

create the table with the following
1. row ID (primary with auto increment)
2. username
3. password (md5-ied)
4. session_ID
5. session_IP
6. session_agent
7. session_time
8. user_email

for example
when john davis log in, he keys in his username and password

[index.php]
username: johndavis
password: ceojohn

these variables are passed on to [verification.php] and use SQL statement to
find whether such a user exist and if so, the password is correct

[verification.php]
$password_encrypt=md5($password)
$query="SELECT * FROM user_list WHERE username='$username' AND
password='$password_encrypt'"
$result=mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result)){
    // whatever it needs to do if it's correct
}
else{
    // kick the user to the first screen
    header('location: http://www.whatsoever.com/index.php');
}

in this case, if John Davis correctly log in, the [verification.php] script
should also record the md5 (or sha1/crc, whatever) of the client's IP
address and browser agent in session_IP and session_agent respectively. a
session_ID will be randomly generated from sources like timing, ip address
or whatsoever. unix timestamp will be recorded too in session_time.

once John logs in, all the pages would be secured by [sentry.php] script
which check the session_ID. if session_ID is not present, it will kick out
the user. if the session_IP and session_agent are not the same, it will also
kick out the user. and if the time is 600 seconds (10 mins) later, it will
also kick out the user. if everything is correct, it will continue to load
the page and reinitialize the new unix timestamp into the record. this
[sentry.php] must be placed on top of the actual php page with either
include/require/include_once/require_once

[sentry.php]
$check_session_IP=gethostbyaddr($_SERVER['REMOTE_ADDR']);
$check_session_agent=$_SERVER['HTTP_USER_AGENT'];
// the $session_IP and session_agent are extracted from database
if((md5($check_session_IP)!=$session_IP)||(md5($check_session_agent)!=$sessi
on_agent)){
    // before kicking the user out, reinitialize a new session_ID to erase
the current session_ID, doing so will prevent any log in using the same
session_ID
    header('location.. blah blah blah');
}
else{
    // reinitialize the timing. to automatically kick out user based on
inactivity.
}

### SESSION ID

there's one trick which i just thought of. using md5-ied IP address &
Browser agent to act as an invisible session ID. in any case, session_ID is
either being added to URL address (e.g.
http://www.whatsoever.com/hello.php?sid=session_ID) or through <input
type="hidden" name="sid" value="session_ID">.

let's just say there is a secure page where you don't wish to place the SID
in the URL and it's not a form, the only way is to jump over "through" the
page by allow the checks to be done via session_IP and session_browser. in
simple application, the session_ID could be even scrap. however, i have yet
to know if anyone would "fake" the browser and "IP address", but hacking
these would seems to be easy.

however, you could mail out a notification alert to the person's email (SMS,
if available) if someone log in with the person's user name.

### DYNAMIC USER IP ADDRESS

for those users who IP address dynamically by its ISP, the [sentry.php]
would force them to log in again and again. to minimize the inconvenience,
[sentry.php] could verify the user via the first two nodes of the IP address
(e.g. 210.123.111.8 = 210.123). but this is dangerous because it would only
not prevent insiders to log in and kiss you security goodbye. however, this
is provided that the bogus insider have the same type of browsers with same
configuration.

### POLYMORPHIC INITIALIZATION AND SECURITY

to ensure a deeper secure access, i suggest that the session_ID to be
regenerated everytime a page is loaded. and if someone log in with the same
user name, it will either 1) prevent the user from logging in, 2) kick out
the existing user, or 3) lock out both users, and an email alert will be
send to the original email address.

### FORGOT PASSWORD

this is easy. just ask for the username and send a newly generated password
to the user_email. and remember to log down the IP and whatever to prevent
unauthorized "forget password" users. of course, there's much more complex
way - dual verification via script or full-scaled security via
administrator, which is much better.

i hope all these codes would help. if you have any other issues, feel free
to ask.

• Previous message: Wes S.: "Re: Encryption of mail addresses"
• Next in thread: Rob: "Re: PHP Access Script (free guide)"
• Reply: Rob: "Re: PHP Access Script (free guide)"
• Reply: Rob: "Re: PHP Access Script (free guide)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]