AlfieWebDevTips Homefor new and experienced developers
[Home Home] [Web Development Web Development ] [Code Generators Code Generators ] [Resources Resources ] [Contact Us Contact ] |WebDevTips Privacy Privacy |
Print This Page
Web Development
|  Developer Home |  Accessibility |  ASP |  CGI/Perl |  DHTML |  HTML |  Includes |  Javascript |  PHP |  Style Sheets |
 

You are here : Home - Web Development - PHP - Password Protect - Theory

Password Protect - Theory


Ok we've covered the password issue. Before we write the script we have to think about all the ways pages can be accessed (not just displayed) and the flow. Flow charts vary according to spec so below is an example of the script you can get here.

user flow

To start with we need a login page, a validation script, a success page and a logout script. The flow should be like this.

  • A user fills in the form and submits it
  • The data gets sent to a validation script
  • If the user is authorised then he gets redirected to the success page.
    • all calls to to other pages get passed to the validation script to verify status
  • If the user is not authorised he is returned to the login page (perhaps with a message).
authorised user

If a user is validated then he is sent a cookie. This is a session cookie which is not stored on the hard drive. Session cookies expire once the browser is closed. The user can also manually log out via a link (which deletes the cookie and returns the user to the login page).

As a logged in user, it could be possible to return the login page so, we have a routine on the login page that checks to see if the user is logged in and provide a link to continue their session (removing the form) if they are.

Someone who is a bit nosey might look at the original login page code and notice that the form data gets sent to validate.php. If they enter validate.php directly into the browser address bar the script again checks their status and provides a message and link.

Any pages that are protected all call validate.php to verify status before presenting the requested page.

non authorised user

Someone looking to see if they can get any pages without being logged can try several things. They can :

  • try and guess the username and password
  • they can look at the login page code and try to access validate.php
  • they can try and guess urls of protected pages

There are other things they can do and tools they can use, at the end of the day your password and username are sent over the net unencrypted. Even if they were encrypted they could still be filtered out and decrypted (except on secure connections).

This is not meant to put you off protecting non sensitive data or meant to scare you. The risks are there whenever you put content on the web. All I am doing is letting you know some of the risks. Be aware of the risks but don't worry needlessly about it. :)

As a developer you have to eliminate lots of problems that could occur either through user error or by someone looking for holes. Never assume that visitors will use the site the same way as you would.

Just do everything you can to protect the area and remember some things are outwith your control, such as server security.

As a final precaution we validate that anything entered into the form so it won't do any harm. All usernames and passwords will only contain letters and numbers (no spaces)

Now on the scripts - First we'll look at the login page.

overview
the theory
the login
validation
a protected page
the logout
If you like our script, please rate it!






Google
 
[back to top of page]   

[labelled with icra - - this link will open in a new window] [RSS Content]

[Copyright © WebDevTips]