PDA

View Full Version : if login user has no cookies how to authenticate? - php


nanny
03-02-2007, 11:45 PM
Hi I read in a Dreamweaver book that because session variables don't work if cookies are turned off on the end user's machine, I can't get the User Authentication server behaviours to authenticate.
If cookies are turned off it says to pass a unique ID in the URL variable so that each page that has an access level set up on it can authenticate useres using the URL variable instead of a session variable.

I am not sure how to do this - does it mean that the login is an IF situation of either MM_USERNAME or access level or to use both?

Any suggestions??

davidj
03-03-2007, 10:19 AM
cookies and server sessions are different

a cookie is controled by the client or end user and is a small text file stored on the users machine. Mainly you would use cookies to maybe remember a user and store their account details in the file. When they return to the site the page firsts looks to see if the file exists before using the details to auto login the user. The user has control over these files and can switch cookies on or off therefore its deemed bad practice to use cookies as an integral part of any application as the developer has no control over them

PHP SESSIONS are different as these are stored and controled on the web server. They are there and available from the installation of PHP and are often used through out systems. They are created and destroyed on the fly and accessed, once created, any time through a session (the time the user is logged in)

If you have a login script and are querying a database the chances are your username will be stored as a session on the server and if this username is unique then you could take this value to query your user table and extract more information at a later stage about the user like auto populating an address in a form etc

authenticate useres using the URL variable instead of a session variable.

i dont know who wrote this book but i have never heard of this method of passing user details through a querystring or URL to authenticate them. Why would you do that?

It works like this...

in a form you have a couple of methods to submit data. POST and GET

POST submits the data through the body or headers of the page where GET uses the address field to append your query to the URL string and pass the vaues (Key value pair). If for instance you pass your data to a process.php page the url would look like this...
www.domain.com/process.php?value1=A&value2=B
so by using a querystring to autenticate is bad practice as the data is passed in full view! also your password would have to be included in the querystring !!!!!!! (love to speak to the author of that book)

when logging into a system use POST and login using 1 page only.

if you are struggling with your script try this...

http://www.dreamweaverclub.com/vtm

you will understand the consept and have a working login system up and running within the hour