[designer09]

Security

I dont want accounts registering and all that its to complicated for my users, however i do want the pictures and movies being protected as other documents, but yet again not on every page re-enter the password ( or rar-files)

- Onelifetime entering password 4 all pages.
- No registration or whatsoever

Im new, but my idea is to have the intro page (big logo ) and right under it the enter password.
If they have not entered the password before and visiting an online page., they will be redirected to the big logo page and have to enter it once.

Is this done using cookie and php password only ?

Thanks in advance

[Geeks]

sessions or cookies would be the easiest.

I normally use something like: (this is not working code just the theory/pseudocode)
put this above each secured page.

perform a check to see if cookie or session is set

if it is not

check for posted values if they are not set redirect to login.php

entered_user_name = md5($_POST('username') - get username from previous page's form using post
entered_password = md5($_POST('password ') - get password from previous page's form using post

username = xxxxxx (fetch encrypted username from code or database)
- if using a DB then get the row where username = entered_user_name
- if using a db remember to use mysql_real_escape_string)
password = xxxxxx (fetch encrypted password from code or database)
- if using a DB then get the row where username = entered_user_name
- if using a db remember to use mysql_real_escape_string)

if entered_user_name == username && entered_password == password
set the cookie or session
I normally create
- a cookie named "approved" and set it's value to entered_user_name . "|" . entered_password
- a cookie name "username" and set it's value to entered_user_name (the encrypted variable)
set the expiry date to 10mins from now
if no match
set cookie "attempts" to incriment
redirect to login.php


if cookie or session is set

secure_ID = cookie or session value of "approved"
current_user_name = cookie or session value of "username"

username = xxxxxx (fetch encrypted username from code or database)
- if using a DB then get the row where username = current_user_name
- if using a db remember to use mysql_real_escape_string)
password = xxxxxx (fetch encrypted password from code or database)
- if using a DB then get the row where username = current_user_name
- if using a db remember to use mysql_real_escape_string)

if secure_ID == username . "|" . password
set the cookie or session
I normally create
- a cookie named "approved" and set it's value to entered_user_name . "|" . entered_password
*the "|" is just incase I need them seperately
- a cookie name "username" and set it's value to entered_user_name (the encrypted variable)
set the expiry date to 10mins from now
if no match
set cookie "attempts" to incriment
unset cookie "approved"
unset cookie "username"
redirect to login.php

in short :

1) check for existing login
2) if no existing loggin check credentions
3) if is logged in check that login is legitimate
4) in login.php check number of attempts

[rallport]

While you hashing your passwords you may aswell salt them, small extra effort hugely improved security.

[Geeks]

thank you rallport duly noted