Home/ Questions/Q 8246877
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T22:39:17+00:00

First time creating a login system for a webpage and I’ve been trying to

  • 0

First time creating a login system for a webpage and I’ve been trying to read up about security but unsure if I’m doing it right.

So far I have a username/password stored and the password is hashed with sha256 and a 3 char salt. if the username and password are correct then I make a new session id like this

session_regenerate_id (); 
$_SESSION['valid'] = 1;
$_SESSION['userid'] = $userid;

at every page I check

function isLoggedIn()
{
if(isset($_SESSION['valid']) && $_SESSION['valid'])
    return true;
return false;
}

I use this to check for a correct user

$username = $_POST['username'];
$password = $_POST['password'];
//connect to the database here
connect();
//save username
$username = mysql_real_escape_string($username);
//query the database for the username provided
$query = "SELECT password, salt
    FROM users
    WHERE username = '$username';";
$result = mysql_query($query);
if(mysql_num_rows($result) < 1) //no such user exists
{
  //show incorrect login message
}
//check the password is correct for the username found
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) //incorrect password
{
  //show incorrect login message
}
else
{
//setup a new session 
validateUser();
//redirect to the main page
header('Location: main.php');
die();

if its false then they get sent back to the login page. is this secure enough?

in the main page I also have html links

  <li><a href="main.php">Home page</a>

so I need to end the php script on the main page when these links are used?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Adding to what phpdev said. Even though it looks secure enough, there are a couple of things I’d recommend.

    When you want to send a user to some page make sure your script exits and finishes executing, because if there’s still some lines they will be executed. Take this for example:

    if (!isLoggedIn()){
   header('Location: login.php');
}
//It's wrong to assume that things are safe here
echo $secret_data;

    so make sure you add exit(); or die(); after your header() call.

    Also when hashing, make sure that you use a unique salt per user, so you need to create an extra column in your users table to store the salt next to the hashed password. It’s also highly recommended to use a well tested library for hashing such as PHPass.

    If you’re running different web services on the same web server using the same domain, like:
    mysite.com/my_super_awesome_app and mysite.com/my_not_very_awesome_app make sure you either add a prefix to your variable names in the $_SESSION like $_SESSION['app1_valid'] or limit the session cookie to a certain path using session_set_cookie_params()

    • 0