Re: Digest Authentication [message #179961 is a reply to message #179868] |
Sat, 22 December 2012 19:15 |
legalize+jeeves
Messages: 21 Registered: September 2010
Karma:
|
Junior Member |
|
|
[Please do not mail me a copy of your followup]
Jerry Stuckle <jstucklex(at)attglobal(dot)net> spake the secret code
<kae95p$7m5$1(at)dont-email(dot)me> thusly:
> Additionally, I think a very low percentage of PHP sites use such
> authentication. Most have their own login page (using https protocol).
> Once the user logs in, the script sets the appropriate information in
> the $_SESSION array. Pages which require login just check for the
> necessary data in the $_SESSION array, and if incorrect, redirect the
> user to the login page. If the data are correct, the script just
> continues with what it's supposed to do.
I recently implemented this exact mechanism for an open source project.
Additionally, I would add that you shouldn't store cleartext passwords
in the database, but instead store a crytographic hash of the password
and compare hashes to authenticate. This means that if someone gets
ahold of your database, they still don't know cleartext passwords.
My implementation is located here: <http://manx.codeplex.com>
--
"The Direct3D Graphics Pipeline" free book <http://tinyurl.com/d3d-pipeline>
The Computer Graphics Museum <http://computergraphicsmuseum.org>
The Terminals Wiki <http://terminals.classiccmp.org>
Legalize Adulthood! (my blog) <http://legalizeadulthood.wordpress.com>
|
|
|