Zubrag.com
May 22, 2012, 05:44:19 am *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Zubrag.com :: Forum > Programmers Lounge > Tips and Tricks > how to implement signup / login / lost password for web site
Pages: [1]
  Print  
Author Topic: how to implement signup / login / lost password for web site  (Read 8400 times)
zubrag
Administrator
Hero Member
*****
Posts: 753


WWW
« on: January 22, 2007, 05:49:28 am »
You should never save passwords as is to the database because somebody could gain access to the database (via security hole, etc.) and download all the passwords.

Best approach would be to encrypt passwords before saving to the database.

Process would work as follows:

1. User signs up to your site, providing login and password

2. You save login as is, and encrypt password before saving to the database. Usually md5 function is utilized for this.
md5 function always produces 32 characters length string, so make sure your password field in the database can fit it.
Example: $encrypted_password = md5($password);

3. User login to your site next time, providing login and password.

4. You validate like this:
 - compare login with the login stored in the database
 - make md5 from the password provided in login form, and compare it with encrypted value stored in database.

5. Now user forgot his password, and wants you to send it via email. We are unable to retrieve user's password since we only have encrypted password.
So instead of sending old password we should:
- send a link to the "new password" form, where user would select new password
OR
- auto-generate new password for the user, send not encrypted password via email, and save encrypted password to the database

You might noticed a lot of sites would never send you old password when you use password reminder. These sites are following above protection approach, where nobody knows user's password (even site admins).

Now nobody will be able to get passwords, even if one gets unauthorized access to the passwords database. They will only see encrypted passwords.

Simple login code example.
// login / password from the login form
$login = $_POST['login'];
$password = $_POST['password'];

// encrypted password from the login form
$encrypted_password = md5($password);

//////////////////////////////////////////////////////////////////////////////
// here will be your custom code to retrieve user's password from the database
// something like:
//   $elogin = mysql_escape_string($login);
//   mysql_query("select user_password from users where user_login = '$elogin'");
//////////////////////////////////////////////////////////////////////////////

if ($encrypted_password == $user_password_from_db) {
  // password is ok
}
else {
  // wrong password
}
Logged
basheer
Newbie
*
Posts: 6
« Reply #1 on: August 27, 2009, 10:58:10 pm »
hi..
   
Logged
bboy121
Newbie
*
Posts: 1
« Reply #2 on: February 16, 2010, 03:14:49 am »
Wonderful! However, my question to you is: what goes in each of the fields for "//password is ok" and "//wrong password"? Thanks so much!
Logged
PSPLover
Newbie
*
Posts: 2


WWW
« Reply #3 on: March 20, 2010, 03:47:48 am »
Thanks a lot, you gave the solution to a little problem i was having
Logged
tuvmtuvm
Newbie
*
Posts: 3
« Reply #4 on: March 26, 2010, 09:28:53 pm »
thanks you vey much , this is importanl with me !!!!
Logged
Tummy Tuck Recovery
saturn ac compressor
Uradelekcil
Newbie
*
Posts: 2


WWW
« Reply #5 on: September 23, 2011, 07:25:36 am »
very interesting article ... I hope this will continue
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC