User Authentication with PHP?

[DoubleZedRed]

What's considered a prudent approach for handling DB based user authentication with PHP?

say, I've got login.php which has a username and password field and a submit button... when i click submit it uses POST to submit those fields to some sort of authentication page... how can i open the initial connection to the DB to allow the authentication without storing a username/password in the file?

I considered having it redirect if the referrer isn't the localhost, but that doesn't prevent spoofing or wget does it?

 

[Tweakin]

You mean without storing a username and password to the database? Well, as long as we are talking PHP, then trying to get that file directly (via wget or a browser, whatever) will not result in access to that information since it is stored in a variable server-side, and not sent to the client.

That said, common practice is to keep that stuff out of the web root or in PHP's include directory to be include()'d in any script that may need it. This prevents accidents where a misconfigured web server can serve script pages like PHP or others as plaintext.

 

[Eiolon]

Agreed. Store sensitive scripts/configs outside the web root.

When you post data, it is server-side. Nothing is being stored when it is being sent from login.php to authenticate.php. Once you have validated, THEN you can create a session and store the data that you want.

P.S. Store sessions in your database if you are on shared hosting.

 

[DoubleZedRed]

Cool, thanks guys

 

[ripken204]

make sure to encrypt the password in the database as well
are you using and php frameworks?

 

[Sgraffite]

make sure to encrypt the password in the database as well
are you using and php frameworks?

It would make more sense to hash and salt it than to encrypt it. Also please avoid making it easy to do session hijacking.

 

[ripken204]

It would make more sense to hash and salt it than to encrypt it. Also please avoid making it easy to do session hijacking.

yes, sorry, meant hash and not encrypt