[karossii]

Okay, I have been exploring uer registration and login scripts extensively for a week or two now, and I think I am getting somewhere. As of now I am actually still working on database structure; but it seems that it is (to me) the more difficult part; writing the code should be easy if I am correct. (Though I need a lot more help on sessions, that will come later!)
.
My question is more of a general functionality one; I plan to have the login work as such...
.
The registration form gets the data;

• Collect IP address of user at registration, store in database as varchar(15) [such as [000.000.000.000']
  
• Collect desired userame
  
• Collect desired password and confirmation of password
  
• Collect email address and confirmation of email address

.
.
The registration PHP processes the data;

• Scan the user table and ensure username is available
  
• Scan the user table and ensure email is available
  
• Compare password & conf, email & conf - ensure they match before continuing.
  
• Check password for strength (minimum one Ucase, one Lcase, and one Numeral character, 8 to 16 characters in length)
  
• Collect datetime stamp of user registration
  
• Prepend encrypted (SHA1) IP to password, append encrypted (SHA1) datetime to password, encrypt this string (MD5)
  
• Store username, email, encrypted password, registration IP, and registration datetime in database table
  
• Send confirmation email with activation link

.
.
The table stores the following fields;

• userID {int(10), Auto_Increment, Primary Key}
  
• userName {varchar(32), unique}
  
• email {varchar(32), unique}
  
• password {varchar(32) [binary]}
  
• activated {tinyint(1), default '0'}
  
• registeredDate {datetime}
  
• registeredIP {varchar(15), default '000.000.000.000'}
  
• lastLoggedDate {datetime}
  
• lastLoggedIP {varchar(15), default '000.000.000.000'}
  
• curentDate {datetime}
  
• currentIP {varchar(15), default '000.000.000.000'}

.
.
The login form collects the data;

• username
  
• password
  
• Remember Me
  
• current IP address

.
.
The login PHP processes the data;

• Check for username in table
  
• call from table the registrationIP and registrationDate
  
• salt and encrypt the password
  
• compare passwords and log in or error out
  
• Store currentIP and currentDate,
  
• set cookie to keep logged in

.
The activation link sets 'activated' to true or 1.
The login script populates the 'currentDate' and 'currentIP' upon logging in.
The logout script populates and updates 'lastLoggedDate' and 'lastLoggedIP' from the 'current' fields upon logging out (either due to inactivity or by clicking the log out link), as well as clearing the 'current' fields.
.
Okay, so far I believe I have come up with a fairly strong registration and login script which provides for some extra functionality (such as "you last logged in on DATE, from IP") and can track the current IP to make sure the user who logged in is the only one using that session.
.
I thought of keeping a table of login attempts, which stores every login attempt, tracking: logged in/failed (0/1), IP, DateTime, and username... but I am not sure if that is needed or would be a waste of time / server space? I think this is necessary to block IPs and/or usernames that fail to log in X times, but I am not certain I need that functionality...?
.
Up to this point, is there anything I am missing, or just doing wrong?
.
.
Next, the big question; a checkbox field on the login page allows for 'Remember Me' or 'Keep me logged in.'... is it okay to store the encrypted password and a username on the clients computer? If not, what is the best (most secure without losing user convenience) way to approach this functionality?

This post has been edited by karossii: 23 November 2008 - 12:17 AM

[karossii]

OOPS!

I forgot one of the main things I meant to ask, and the primary reason I was posting in PHP programming...

I wish to code this in all PHP, as may or may not be obvious. I am open to other possibilities if need be, but that is my preference.

That said, I would love for some interactivity I have no clue on how to handle, if it is possible in PHP. For example, having the registration page dynamically update, alerting *as the user types* if the username in the field is available, or if the password/conf matches, or if the email/conf matches, or if the password is not strong enough, etc. I have seen this in plenty of websites, but do not know if it is done (or can be done) via PHP?

Also, if a user is not logged in and clicks on any link that would require a login, instead of redirecting to a new page or simply warning that 'you are not logged in', I would like a pop-up box to appear near the clicked link with the login page.

Small things like that... is that PHP-able?

[Valek]

karossii, on 23 Nov, 2008 - 02:14 AM, said:

OOPS!

I forgot one of the main things I meant to ask, and the primary reason I was posting in PHP programming...

I wish to code this in all PHP, as may or may not be obvious. I am open to other possibilities if need be, but that is my preference.

That can be done with what I've read so far.

karossii, on 23 Nov, 2008 - 02:14 AM, said:

That said, I would love for some interactivity I have no clue on how to handle, if it is possible in PHP. For example, having the registration page dynamically update, alerting *as the user types* if the username in the field is available, or if the password/conf matches, or if the email/conf matches, or if the password is not strong enough, etc. I have seen this in plenty of websites, but do not know if it is done (or can be done) via PHP?

No, I think that one might take AJAX. PHP, being a server-side language, would not be able to dynamically communicate that to the client's browser alone.

karossii, on 23 Nov, 2008 - 02:14 AM, said:

Also, if a user is not logged in and clicks on any link that would require a login, instead of redirecting to a new page or simply warning that 'you are not logged in', I would like a pop-up box to appear near the clicked link with the login page.

Small things like that... is that PHP-able?

Use PHP and Javascript together on that popup link. Of course, the only way I can think of on that is having PHP check if one is logged in, and generating a different URL based on the results or that (the non logged in one would obviously be a Javascript popup).

[ludjer]

also why do you need
currentIP {varchar(15), default '000.000.000.000'}
and
lastLoggedIP {varchar(15), default '000.000.000.000'}

wont they be the same thing

also you will have to keep in mind if it is gona be the internet then you should include support for IPV6 cause that is just around the corner

[shygirl15]

I think its interesting that you say the database is the hardest part?

The database is just a bunch of tables. It's like the brain, but its pretty straight foward. I have no problem at all understand how the database works. In my oppinion, i'd say imputting, and outputting is the most difficult part. Querys are sooooo my enemy.

Also, you are extremely organized. If this is your first sight, why are you trying to make it professional? Isn't it better "and funner" to just crash into it, and learn as you go.

Whats easier... learning something by doing it and understanding as you go, or studying it.

[ghqwerty]

you could create a session when the user logs in that is something like $_SESSION['loggedIn'] = "true"; and then i just call a check at the top of each of my pages

if($_SESSION['loggedIn'] != "true"){
 header("location: login.php");
}

however im not sure exactly how to intergrate javascript and php fully, hence im learning that as well as c# at the moment.

although you could probably make a call to the session and then have it pop up and then make the co-ordinates(distance from top left corner of pop-up to top left corner of browser) land next to the page you require.

now what im now sure of is this, do you want the login to be part of the popup so the user does not have to navigate away form the page he/she is on?
if that were the case, it can be done, you would have to use js and look heavily into securing it as from my knowledge it aint that hard to manipulate javascript. look at firefox and greasemonkey.

what i am working on at the moment however is a process where if you are not logged in and you go to a protected page it redirects to the login page but then when you login it redirects to the page you were trying to get to.
now you can try my theory if you want as i dont have time to try this till at least wednesday however i would suggest creating a few more fields in your database such as last page visited, some others that i will think of whilst writing lol

then you could do a query and if the last time refreshed is more than 5 minutes ago then you login straight to the homepage however if it is less than 5 then it goes to the page before.

would be hard to implement so i will work on it this week and then let you know my progress and if im happy i might just give you the code


IP'S
now i dont really see the need for ip's being stored in the database unless your going to do regular ip checks and 'bans/deletes' on players. on some games you will see 2 people from differant timezones playing 1 account so they can have an advantage over others for being active more hence getting more done and having more chance of getting to the top of the leader board.
so i would suggest you revise that and also i agree with ludjer on that one.



shygirl15.
yes and no. databases arent 'hard' to make nor is php code when you have been learning it, however a database is probabl the most important part of any game. you need to save there stats and stuff and if you have a bad database layout it can and most likely will complicate things. im still adding stuff to my database everytime i make a new page for my site cos i didnt plan it out properly and it is confusing getting the correct order on select statements. so a lot of thought must go inot planning it


anyway theres your esaay lol, ill shut up now
bye

[karossii]

shygirl15, on 23 Nov, 2008 - 04:21 AM, said:

I think its interesting that you say the database is the hardest part?

The database is just a bunch of tables. It's like the brain, but its pretty straight foward. I have no problem at all understand how the database works. In my oppinion, i'd say imputting, and outputting is the most difficult part. Querys are sooooo my enemy.

Also, you are extremely organized. If this is your first sight, why are you trying to make it professional? Isn't it better "and funner" to just crash into it, and learn as you go.

Whats easier... learning something by doing it and understanding as you go, or studying it.

Not the database, the design... which at this point are nearly but still not the same thing. The hard part for me is in predicting/planning the fields I will be using, mentally doing the code in my head and checking if I need to add this field or remove that field, how the table relationships will be working, etc. I am planning a LOT more than just this login segment of the site for now... but this is the area I had the most specific questions about.

And this is not my first site ever, but one of my first sites using php... I have been designing HTML and DHTML, as well as Flash websites for some time now.

[Edit] Just to give you an idea, I spent 3 weeks planning this entire site on paper before I touched the computer for it. I have then spent 2 weeks implementing the database, revisiting the structure, removing redundancies, and adding new sub-tables (like the new login attempts table I just decided on in this thread). I currently have 37 tables with anywhere from 3 to 19 fields in them, and each table has at least one relational field connecting it to another, most have several.

And while it can be 'more funner' to just crash through things and develop on the fly, it also draws the process out by a long time, and typically results in a ton of bugs and unmanageable code. Since this is to be a professional website, through which I hope to make a lot of money from paid memberships, it needs to be done properly and professionally at every step of the way.

This post has been edited by karossii: 23 November 2008 - 01:13 PM

[karossii]

ludjer, on 23 Nov, 2008 - 04:17 AM, said:

also why do you need
currentIP {varchar(15), default '000.000.000.000'}
and
lastLoggedIP {varchar(15), default '000.000.000.000'}

wont they be the same thing

also you will have to keep in mind if it is gona be the internet then you should include support for IPV6 cause that is just around the corner

They won't be the same thing; lastLoggedIP will be set to currentIP on logout - so it will be default of 000.000.000.000 until they log out. Once they log out, lastLoggedIP is then set to what currentIP was, and currentIP is cleared. it just tracks their last session, basically...and I did have a reason for doing so (two actually), but after re-reading my first post and thinking of the long term benefits, a separate table tracking all login attempts will probably work best, and it would be just as good at telling the user (or the software) 'You last logged in on Thursday November 20 at 10:01 PM, from IP 127.0.0.1'.

And I had not given any consideration to IPv6, though I should have known better - I will fix that ASAP!

This post has been edited by karossii: 23 November 2008 - 12:51 PM

[karossii]

ghqwerty, on 23 Nov, 2008 - 10:56 AM, said:

you could create a session when the user logs in that is something like $_SESSION['loggedIn'] = "true"; and then i just call a check at the top of each of my pages

if($_SESSION['loggedIn'] != "true"){
 header("location: login.php");
}

however im not sure exactly how to intergrate javascript and php fully, hence im learning that as well as c# at the moment.

although you could probably make a call to the session and then have it pop up and then make the co-ordinates(distance from top left corner of pop-up to top left corner of browser) land next to the page you require.

now what im now sure of is this, do you want the login to be part of the popup so the user does not have to navigate away form the page he/she is on?
if that were the case, it can be done, you would have to use js and look heavily into securing it as from my knowledge it aint that hard to manipulate javascript. look at firefox and greasemonkey.

That is essentially what I want to do; but when a user clicks a link to a page or function that requires them to be logged in, the popup happens then, before the navigation takes place.

For example, say a site has three links and two buttons. Two of the links are open to anyone and lead to public pages. The third link leads to a member's only page. The two buttons also lead to member's only functions/navigation. If you are logged in, everything works fine - you click the link or button and it does what it is supposed to do. If you are not logged in, when you click the member's only link, it pops up a floating log in box, requiring you to log in (or cancel) to close the popup. If you cancel, nothing happens, it is just as if you didn't click the link. If you logged in, it then immediately navigates to the member's only content.

The main purpose for this is to have a free preview area, and/or to split the site into free and paid member's only areas. It allows a user who is not logged in (and possibly not even a member at all) to experience portions of the site, so no required login on the homepage. And then when they hit the brick wall, it doesn't take them away from where they are; so any form fields that may have been filled out remain intact, any dynamic choices for the page remain intact, etc; without requiring me to manually store the state of the page and restore it after they log in (or fail to log in). It is not a critical issue, but it would be great if I could accomplish that.

Quote

what i am working on at the moment however is a process where if you are not logged in and you go to a protected page it redirects to the login page but then when you login it redirects to the page you were trying to get to.
now you can try my theory if you want as i dont have time to try this till at least wednesday however i would suggest creating a few more fields in your database such as last page visited, some others that i will think of whilst writing lol

then you could do a query and if the last time refreshed is more than 5 minutes ago then you login straight to the homepage however if it is less than 5 then it goes to the page before.

would be hard to implement so i will work on it this week and then let you know my progress and if im happy i might just give you the code

Thanks, this could work as well, but for me it would require storing the state of the current page, in case they fail to log in, and returning them there and restoring that state. It is a great way to do things, especially if you aren't concerned about what happens if/when they fail to log in, or if you don't have any dynamic settings or form fields that could be lost.

Quote

IP'S
now i dont really see the need for ip's being stored in the database unless your going to do regular ip checks and 'bans/deletes' on players. on some games you will see 2 people from differant timezones playing 1 account so they can have an advantage over others for being active more hence getting more done and having more chance of getting to the top of the leader board.
so i would suggest you revise that and also i agree with ludjer on that one.

IP tracking is for multiple reasons, primarily to ban/block certain members for various reasons, but also to avoid multiple accounts on one computer, and multiple users of the same account - as you described, I don't want to allow two people in muliple time zones to share an account. (This website will have paid memberships, so account sharing is not okay.)

Quote

shygirl15.
yes and no. databases arent 'hard' to make nor is php code when you have been learning it, however a database is probabl the most important part of any game. you need to save there stats and stuff and if you have a bad database layout it can and most likely will complicate things. im still adding stuff to my database everytime i make a new page for my site cos i didnt plan it out properly and it is confusing getting the correct order on select statements. so a lot of thought must go inot planning it


anyway theres your esaay lol, ill shut up now
bye

I agree completely, and think design and planning are paramount, followed closely by both database implementation and the actual coding. code and database are equally important in my eyes; neither functions properly unless both are done well - but if you fail to plan it is ever so much harder to develop either of those.

And thanks for the essay! I'd welcome anything else you may have to say on the subject.

[Valek]

karossii, on 23 Nov, 2008 - 03:06 PM, said:

Thanks, this could work as well, but for me it would require storing the state of the current page, in case they fail to log in, and returning them there and restoring that state. It is a great way to do things, especially if you aren't concerned about what happens if/when they fail to log in, or if you don't have any dynamic settings or form fields that could be lost.

Not necessarily. You could use java script:history.go(-2) (or -1 if the login page submits to itself) if you do a non-popup login page when one tries to enter a protected page. This way, the dynamic user-entered data stays because it is functionally no different than pressing the back button on your browser. Just an extra option

The popup wouldn't be hard either, though. Do a javascript popup window, and the login posts to the login checking page. If the login fails, close the popup and have it come back to the previous page with an error message. If it goes through, redirect the big window (via 'target') to the page they intended to go to, and close the popup with Javascript

[ghqwerty]

Valek, on 23 Nov, 2008 - 09:17 PM, said:

karossii, on 23 Nov, 2008 - 03:06 PM, said:

Thanks, this could work as well, but for me it would require storing the state of the current page, in case they fail to log in, and returning them there and restoring that state. It is a great way to do things, especially if you aren't concerned about what happens if/when they fail to log in, or if you don't have any dynamic settings or form fields that could be lost.

Not necessarily. You could use java script:history.go(-2) (or -1 if the login page submits to itself) if you do a non-popup login page when one tries to enter a protected page. This way, the dynamic user-entered data stays because it is functionally no different than pressing the back button on your browser. Just an extra option

The popup wouldn't be hard either, though. Do a javascript popup window, and the login posts to the login checking page. If the login fails, close the popup and have it come back to the previous page with an error message. If it goes through, redirect the big window (via 'target') to the page they intended to go to, and close the popup with Javascript

how would you determine if the user just came from one of you pages or from another site though ???

[stativa23]

<?php
			   if(isset($_POST['submit'])){
			   $dbhost = "localhost";
			   $dbname = "name";
			   $dbuser = "username";
			   $dbpass = "pass";
				mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
				mysql_select_db($dbname) or die(mysql_error());
				$firstname=$_POST['firstname'];
				$lastname=$_POST['lastname'];
				$username=$_POST['username'];
				$password=md5($_POST['password']);   
				$email=$_POST['email'];
				 if($firstname==' ') { $error="First name required!";} 
				 if ($lastname==' ') { $error="Last name required!";}  
				 if ($username==' ') { $error="Username required!";}   
				 if ($password==' ') { $error="Password required!";} 
				 if ($email==' ') { $error="Email required!";}  
				 else
				  {
				   $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); 
				   $username_exist = mysql_num_rows($checkuser);
				   if($username_exist =='1'){
				   $error= "I'm sorry but the username you specified has already been taken.  Please pick another					   one.";}
				   $query = "INSERT INTO users (firstname,lastname, username, password,email)
				   VALUES('$name', '$lastname', '$username', '$password','$email')";
				   mysql_query($query) or die(mysql_error());
				   $msg="You are now registered";
				 }
}
?>
<html>
<head><title>Registration</title></head>
<body>
<p></$msg/></p>
<form action="register.php" method="post">
<table border="0">
<tr><td>Firstname:</td>
<td><input type="text" name="firstname" value=""></td></tr>
<tr><td>Lastname:</td>
<td><input type="text" name="lastname" value=""></td></tr>
<tr><td>Username:</td>
<td><input type="text" name="username" value=""></td></tr>
<tr><td>Password:</td>
<td><input type="password" name="password" value=""></td></tr>
<tr><td>Email:</td>
<td><input type="email" name="email" value=""></td></tr>
<tr><td><input type="submit" name="submit" value="Submit"></td></tr>
</table>
</form>
</body>
</html>

I have problem when I am entering values in fields always comes back "You are now registered".And when I am not entering values in some fields it does not report for error,is entering blank fields into database.Why is that?

[ghqwerty]

stativa23, on 27 Nov, 2008 - 11:53 PM, said:

<?php
			   if(isset($_POST['submit'])){
			   $dbhost = "localhost";
			   $dbname = "name";
			   $dbuser = "username";
			   $dbpass = "pass";
				mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
				mysql_select_db($dbname) or die(mysql_error());
				$firstname=$_POST['firstname'];
				$lastname=$_POST['lastname'];
				$username=$_POST['username'];
				$password=md5($_POST['password']);   
				$email=$_POST['email'];
				 if($firstname==' ') { $error="First name required!";} 
				 if ($lastname==' ') { $error="Last name required!";}  
				 if ($username==' ') { $error="Username required!";}   
				 if ($password==' ') { $error="Password required!";} 
				 if ($email==' ') { $error="Email required!";}  
				 else
				  {
				   $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); 
				   $username_exist = mysql_num_rows($checkuser);
				   if($username_exist == '1'){
				   $error= "I'm sorry but the username you specified has already been taken.  Please pick another one.";}
				   $query = "INSERT INTO users (firstname,lastname, username, password,email)
				   VALUES('$name', '$lastname', '$username', '$password','$email')";
				   mysql_query($query) or die(mysql_error());
				   $msg="You are now registered";
				 }
}
?>
<html>
<head><title>Registration</title></head>
<body>
<p></$msg/></p>
<form action="register.php" method="post">
<table border="0">
<tr><td>Firstname:</td>
<td><input type="text" name="firstname" value=""></td></tr>
<tr><td>Lastname:</td>
<td><input type="text" name="lastname" value=""></td></tr>
<tr><td>Username:</td>
<td><input type="text" name="username" value=""></td></tr>
<tr><td>Password:</td>
<td><input type="password" name="password" value=""></td></tr>
<tr><td>Email:</td>
<td><input type="email" name="email" value=""></td></tr>
<tr><td><input type="submit" name="submit" value="Submit"></td></tr>
</table>
</form>
</body>
</html>

I have problem when I am entering values in fields always comes back "You are now registered".And when I am not entering values in some fields it does not report for error,is entering blank fields into database.Why is that?

sorry but this is terrible code,

<p></$msg/></p>

wont work you will need to fo

<?php echo $msg; ?>

you are also very sloppy with your code, have you thought this through at all ??

all you ever do is set a variable $error and never check it, what i would do is,

 if(($firstname==' ') ||  ($lastname==' ') || ($username==' ')  ||  ($password==' ')  ||   ($email==' ') ){
echo "Sorry, one or more of the required fields was not filled out correctly. Please try again.";
				 }else{
				   $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); 
				   $username_exist = mysql_num_rows($checkuser);
				   if($username_exist == '1'){
				   $error= "I'm sorry but the username you specified has already been taken.  Please pick another one.";}
				   $query = "INSERT INTO users (firstname,lastname, username, password,email)
				   VALUES('$name', '$lastname', '$username', '$password','$email')";
				   mysql_query($query) or die(mysql_error());
				   $msg="You are now registered";
				 }

that would work, also i would reccomend indenting your code and sepertaing out your curly braces to make it more easily debugged.

also if you have a problem try and make a new topic instead of just tagging it on the end of another, youll get a better response.

please not that i havent tested the code, however it should work.