PHP Security

Luno1599 · 28-09-2009, 02:44 PM

Hey,

I just have some questions on PHP login security,

How would I make a login script secure?

Say if I made 5 different sessions on login and check the sessions all the way through would that be secure enough?

Dan

LMS16 · 28-09-2009, 03:15 PM

no. Cos then if you have a script checking if the sessions exist then it will still think they're logged in even if theyre banned/their account has bin deleted...

But if you make them expire after a set time or make it check their account still exists on ever refresh then you're all good.

BoyBetterKnow · 28-09-2009, 03:49 PM

Some key ideas.

- Have an online table and make a session that perhaps refers to that. Store the users IP ADDRESS in it, so that any other platform that has perhaps stolen a session cannot use it. That is known as protection from Session Hijacking.
- Have timeouts. Not too short like Paypal but have them.

Luno1599 · 28-09-2009, 04:08 PM

Thanks guys. Ok, How would a timeout script work? Any Eg's please =)

LMS16 · 28-09-2009, 07:33 PM

Well, if you make a sessions for example

$_SESSION["logintime"] = time();

make it set that when they login, then make a new php file and make sure you include it in the file you want them to check the login so use

include("checklogin.php");

Now in that file put:

<?php
if($_SESSION["logintime"] < time() - 86400) {
header("Location

ogout.php");
}else{
$_SESSION["logintime"] = time();
}

That will check if they need to be logged out...

if($username != "") {
$real = mysql_query("SELECT * FROM `staff` WHERE `username`='$username'") or die ("Error! Please reinstall the panel.");
}
$check = mysql_num_rows($real);
if($check == "0") { header("Location

ogout.php"); }

Thats a simnple way of checking if their account still exists, if not log them out...

Protege · 29-09-2009, 06:45 AM

So where does $username come from, cause in that instance it doesnt exist at all. Also the variable $check would equal false if $username was equal to nothing. Doesn't seem like you thought any of that through.

LMS16 · 29-09-2009, 02:45 PM

my apologies for a typo...

<?php
$username = $_SESSION["username"];
if($username != "") {
$real = mysql_query("SELECT * FROM `staff` WHERE `username`='$username'") or die ("Error! Please reinstall the panel.");
}
$check = mysql_num_rows($real);
if($check == "0") { header("Location

ogout.php"); }
?>

Protege · 29-09-2009, 08:28 PM

Again where have you set $_SESSION["username"]; ?

Thread: PHP Security

Thread Tools

PHP Security

Posting Permissions