PHP Login/Auth System

[Drakkon]

Is there a great script out there that creates a login/auth system for php...maybe mysql driven...something with encrypted passwords, cookies, etc that allows for the include at the top of other php pages that creates a "secure" page or something along those lines?
I've looked at a few out there but wondered if any have found one that really stands out.

 

[nace186]

My php knowledge is limited but as far as I know, after the user submit their login information, you could use php to check their credential against what's in the database. For security purposes, you could encrypt the password on the client side using javascript, and check the encrypted password against the encrypted password in the database. But either way, it could subject to the middle man attack.

Anyway, after the user is verified, you could set a session variable to be true, and then for other php pages, you could check if that variable is true or not, if true, that means the user is verified and allow to view. if not deny or direct them to login screen.

Although this way is not that secure either I think, session are capable of being hijack. You could add other security measures like store their ip address in the database and check their ip when they login, but that also could be spoof.

I think there's a better way to do the login/auth system by using https protocol, but I'm don't know much about that.

 

[Drakkon]

im not looking for anything super secure...jsut something to handle user registration/login/cookies so i dont have to set it all up myself
I'm looking into something like sitelok - I just wish i could find a freeware version people are familiar/comfortable with that i could modify/change to my needs

 

[nace186]

have you check this out:
http://php.resourceindex.com/Complete_Scripts/User_Management/

it seem Deadlock might be what you want.

 

[Aikouka]

As for password verification, MD5 hash ftw.

 

[troytime]

Originally posted by: Aikouka
As for password verification, MD5 hash ftw.

don't use JUST the password for the md5 hash
its best to use a combination of the password, another user specific data field (that will never change) and a private unique key(string)

i like to use the insert datetime and password (plus a unique string)

 

[Aikouka]

Originally posted by: troytime
don't use JUST the password for the md5 hash
its best to use a combination of the password, another user specific data field (that will never change) and a private unique key(string)

i like to use the insert datetime and password (plus a unique string)

I can see why you'd do that... kind of. The point of a hash is to be irreversible... that's why you use them over an encryption or something of that sort. The only reason I could see is to avoid someone getting your database's list of MD5 hashes (i.e. passwords) and bruteforcing them. Although as the old adage goes... if someone wants something bad enough, they'll get it.