Hey,
I just have some questions on PHP login security,
How would I make a login script secure?
Say if I made 5 different sessions on login and check the sessions all the way through would that be secure enough?
Dan
Hey,
I just have some questions on PHP login security,
How would I make a login script secure?
Say if I made 5 different sessions on login and check the sessions all the way through would that be secure enough?
Dan
no. Cos then if you have a script checking if the sessions exist then it will still think they're logged in even if theyre banned/their account has bin deleted...
But if you make them expire after a set time or make it check their account still exists on ever refresh then you're all good.
Some key ideas.
- Have an online table and make a session that perhaps refers to that. Store the users IP ADDRESS in it, so that any other platform that has perhaps stolen a session cannot use it. That is known as protection from Session Hijacking.
- Have timeouts. Not too short like Paypal but have them.
Thanks guys. Ok, How would a timeout script work? Any Eg's please =)
Well, if you make a sessions for example
make it set that when they login, then make a new php file and make sure you include it in the file you want them to check the login so use$_SESSION["logintime"] = time();
Now in that file put:include("checklogin.php");
That will check if they need to be logged out...<?php
if($_SESSION["logintime"] < time() - 86400) {
header("Locationogout.php");
}else{
$_SESSION["logintime"] = time();
}
Thats a simnple way of checking if their account still exists, if not log them out...if($username != "") {
$real = mysql_query("SELECT * FROM `staff` WHERE `username`='$username'") or die ("Error! Please reinstall the panel.");
}
$check = mysql_num_rows($real);
if($check == "0") { header("Locationogout.php"); }
So where does $username come from, cause in that instance it doesnt exist at all. Also the variable $check would equal false if $username was equal to nothing. Doesn't seem like you thought any of that through.
Hi, names James. I am a web developer.
my apologies for a typo...
<?php
$username = $_SESSION["username"];
if($username != "") {
$real = mysql_query("SELECT * FROM `staff` WHERE `username`='$username'") or die ("Error! Please reinstall the panel.");
}
$check = mysql_num_rows($real);
if($check == "0") { header("Locationogout.php"); }
?>
Again where have you set $_SESSION["username"]; ?
Hi, names James. I am a web developer.
Want to hide these adverts? Register an account for free!