I am no good with these 'login' scripts.

I am in the process of creating a system, which needs a login script.

I cannot create a secure, working login code with sessions/cookies.

So, could anyone create me a working, secure login code with sessions/cookies and a code that would only allow logged in users to view a page? Also, so it takes the details from a mySQL database.

I know it may be a lot, but I really need this. I can only offer +rep, and maybe a small amount of paypal cash (most likely not).

Thanks a bunch!

You shouldn't ask us to make it for you - no one will. You should ask us how to make it ;). Making a secure login script requires sessions. read up on them here (http://us.php.net/session).

Okay, how could I make one? Are there any good tutorials?

You shouldn't ask us to make it for you - no one will. You should ask us how to make it ;). Making a secure login script requires sessions. read up on them here (http://us.php.net/session).
A secure login does not require sessions.

You can make a complete and secure system using cookies, if you have enough knowledge to secure it correctly.

Although many people prefer sessions > cookies, its a personal preference.

Both have their own pros and cons.

Well here is a link to a tutorial that I quickly checked through that looked fairly comprehensive and secure at first glance.

http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/

As for the Cookie vs. Session question it is mostly a matter of preference and opinion. I use Sessions because I'm used to dealing with them but you should do some Googling to find out for yourself which best suits your needs/situation.

But if you gave a person of avid knowledge the task of designing a secure login system with cookies and one with sessions, a hacker gets into the one with cookies first.

But if you gave a person of avid knowledge the task of designing a secure login system with cookies and one with sessions, a hacker gets into the one with cookies first.
Thats because they are not verified or checked right.

Just checking if a cookie exists is nothing.

You need to verify it against the database, and some more things.

But if you gave a person of avid knowledge the task of designing a secure login system with cookies and one with sessions, a hacker gets into the one with cookies first.

Well actually... Cookies can be just as secure as Sessions when implemented correctly. The perfect example is vBulletin. Just because it uses Cookies does that make it insecure? I mean sure, it has it's flaws, but 99% of those have nothing to do with the Cookies (moreso MySQL injection).


Thats because they are not verified or checked right.

Just checking if a cookie exists is nothing.

You need to verify it against the database, and some more things.

Actually, what he said was 'if you gave a person of avid knowledge'... chances are that if they are a 'person of avid knowledge' then they would know enough to actually put something in the cookie and not just check for a cookie ;)

<?php
if($_POST["lol"]) {
$username = addslashes(htmlspecialchars(mysql_real_escape_stri ng($_POST["name"])));
$pass = addslashes(htmlspecialchars(mysql_real_escape_stri ng($_POST["pass"])));
$haha = mysql_connect("localhost", "username", "pass");
if(!haha) { echo 'cant connect'; } else {
mysql_select_db("$haha");
$q = mysql_query("SELECT * FROM `users` WHERE user = '$username' AND pass = '$pass'");
$m = mysql_num_rows($q);
if($m == "0") { echo 'No such user or pass!'; } else {
$_SESSION["loggedin"] = "true";
}
}
} else {
?>
<form action="login.php" method="post">
<input type="text" name="name"><br><br><input type="password" name="pass"><br><br><input type="submit" name="lol" value="Login!!">
<?php
}
?>
A page to see if their logged in


<?php
if($_SESSION["loggedin"] == "true") {
// logged in
} else {
echo 'Login please!';
}
?>
Thats crap, did in 5 mins and its just to give a very basic idea of the sorta thing to do, not secure atall really

True but it's quite a 50/50 ay?

edit.

Note he said *secure*

Could someone make that secure? (if it isn't?)

Checking if there is a simple cookie "LOGGEDIN", it has to be revamped. I can do it... for a payment.

That shows what the world has come to.