NYCPHP Meetup

NYPHP.org

[nycphp-talk] secure login/logon

David Krings ramons at gmx.net
Mon Aug 6 08:06:19 EDT 2007 

PaulCheung wrote:
> I just need pointing in the right direction. Does anybody know where I 
> should be looking for in information on secure login/logon (using PHP 5 
> and DOES NOT USE COOKIES) with coding examples?
> 
When you say "secure login", do you mean changing over to https? Do you 
want to use a database?
Typically, you would keep track of user's logins in a session, but that 
means using a cookie. One way that I thought of without using a database 
and cookies is checking on page access against the password file of 
Apache, which on top forces a user name / password entry on the first 
access. There may be a way to get the valid user state from Apache 
through $_SERVER, but I don't know. In any case, you would need to reset 
the logged in state for a user as soon as they leave the page (means as 
soon as your php/html is finsihed), same as entering the secure mall 
area and leaving it.
That is far away from ideal as I can think instantly of a whole bunch of 
scenarios where this falls apart, but it would be as safe or unsafe as 
electronic access control in a mall building. In that case, as soon as 
you leave the secured area and want to enter again, you have to use the 
credentials again. A finished page is to be considered leaving the 
secured area. Otherwise it will be like propping the door open. In 
regards to the web app, if cou do not amndate reauthentication on each 
page load one can login once and then leave the web browser open for 
everyone else to use. Using a timer comes to mind that after finishing 
redirects to a unsecure page or at least requires reauthentication (this 
  is like the security guard who asks for your credentials and in case 
you don't have them kicks you out), but I have no idea how timers behave 
in connection to any links or forms on the page.

Hmmm, no real answer, but maybe I just put enough crazy ideas on the 
table that allow you to steer into the right direction. Is this for some 
demo? Would be kewl if you get one of these cheap keyboard wedges that 
translate magcard swipes into typed characters. Then you can mimic a 
real access control system with card swipe plus PIN.

If you need any further details on the "real" access control part let me 
know, I worked in the industry for almost seven years.

David

More information about the talk mailing list