Re: Please check my auth login script

---

• From: "Rik Wasmus" <luiheidsgoeroe@xxxxxxxxxxx>
• Date: Fri, 06 Jun 2008 09:04:08 +0200

---

On Fri, 06 Jun 2008 00:40:15 +0200, J. Frank Parnell <pos@xxxxxxxxxxxx> wrote:

The goal here is to use basic authentication for a user to log in, but keep a
cookie so that they dont have to log in every browser session.

<?
$user = "user";
$pass = "pass";

if(($_COOKIE['user']!=$user) OR ($_COOKIE['pass']!=$pass)){
if (
(!isset( $_SERVER['PHP_AUTH_USER'] )) OR
(!isset($_SERVER['PHP_AUTH_PW'])) OR
( $_SERVER['PHP_AUTH_USER'] != $user ) OR
( $_SERVER['PHP_AUTH_PW'] != $pass )
) {
header( 'WWW-Authenticate: Basic realm="test"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

}
}


if ( ( $_SERVER['PHP_AUTH_USER'] == $user )AND( $_SERVER['PHP_AUTH_PW'] ==
$pass))
) {
setcookie("user", $user, time()+99999, "/");
setcookie("pass", $pass, time()+99999, "/");

}

echo '<pre>cookie:';
print_r($_COOKIE);
echo "<BR>";
echo 'auth-user: '.$_SERVER['PHP_AUTH_USER'];
echo '<BR>auth-pass: '.$_SERVER['PHP_AUTH_PW'];
?>

Anything wrong, or do you just want input?

If the latter:
0) Don't use short tags (use <?php ?> instead of <? ?>).
1) I'd hate to store plain passwords in cookies at the users computer, which not only usually are stored plainly on the HD there, but are also send on _every_ request. I usually create a hash unrelated to user/pass details, and store that as valid for that user(-id), if that's to much you could encrypt a pass + a secret using some of the available encryption techniques used in PHP.

2) I have long ago decided against HTTP authentication 'cause save for closing the browser or deleting ALL remembered passwords, there is no easy way to log out for the user in most common UA's. Sessions & a simple loginform are IMO the way to go.

.... then again, I'm so used applying only this technique I might not be able to make an unbiased comment, it's what I know best :)
--
Rik Wasmus
....spamrun finished
.

---

• Follow-Ups:
  • Re: Please check my auth login script
    • From: J . Frank Parnell

• References:
  • Please check my auth login script
    • From: J . Frank Parnell

• Prev by Date: Re: secure login form
• Next by Date: Re: create html from flat file
• Previous by thread: Please check my auth login script
• Next by thread: Re: Please check my auth login script
• Index(es):
  • Date
  • Thread

---

Relevant Pages Disappearing cookies after login.aspx ... authentication cookie is present in the Context object, ... IIS 5.0 ... IE 6 Browser session on localhost. ... IIS wasn't there on the initial install. ... (microsoft.public.dotnet.framework.aspnet) Re: Please check my auth login script ... cookie so that they dont have to log in every browser session. ... I dont ususally have reason to belive that the users computer will be physically ... (comp.lang.php) Re: PayPal security flaw ... > ever be stuck in a hidden form unhashed. ... Why does it matter that it's unhashed? ... copy it and send it in another browser session. ... It could be put in a cookie rather than a hidden field, ... (comp.security.misc) How long does a session cookie last? ... the cookie without expires lasts the browser ... I think a browser session ends if you close all the browser ... (comp.lang.javascript) Re: AOL and Cookies ... > the users computer to validate username and password and allow them to ... Most cookie problems have to do with the cookie reaching the client browser, ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)