Home/ Questions/Q 3874364
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T22:08:35+00:00

I am new to class development in PHP, however I am still quite confused

  • 0

I am new to class development in PHP, however I am still quite confused by the concept of sessions.

Question 1: Can sessions be changed by client manipulations? If not can I set static sessions and use them without validation?

Question 2: How should I be managing my user accounts?

I do use SALT however, a code is generated during registration and inserted into DB where it’s used for login reference. Any corrections with explanation would be much appreciated, as well anything about sessions being modified by client.

class user {
    private $username   = '';   
    private $password   = '';
    private $salt       = '';
    public  $prefix     = 'rhs_';

    function __construct () {
        $this->username = '';
        $this->password = '';
        $this->salt     = '';

        session_start();
    }

    public function login ($username, $password) {
        $mysql_conn = Database::obtain();
        $username = $mysql_conn->escape($username);
        $sql = 'SELECT `password`, `salt`, `first_name`, `last_name`, `permission` FROM `accounts` WHERE `username`="'.$username.'"';
        $row = $mysql_conn->query_first($sql);

        if(!empty($row['password'])) {
            $encrypted = md5(md5($mysql_conn->escape($password)).$row['salt']);
            if ($encrypted == $row['password']) {
                $_SESSION[$this->prefix.'username']     = $username;
                $_SESSION[$this->prefix.'password']     = $password;
                $_SESSION[$this->prefix.'name']         = $row['first_name'].' '.$row['last_name'];
                $_SESSION[$this->prefix.'permission']   = $row['permission'];
                header('location: ?page=cpanel');
            } else {
                return false;
            }
        } else {
            return false;
        }
    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I am new to class development in PHP

    Even if you are experienced programmer making an unsafe authentication system is easy as pie. You should be using OpenID(or systems like that like for example facebook connect) instead. They have security-experts as employees. I created a little library you can use for this. You can see a demo at http://westerveld.name/php-openid//

    Can sessions be changed by client
    manipulations? If not can I set static
    sessions and use them without
    validation?

    It can not be changed by clients, but a users session could be stolen by hackers. You need to prevent session-fixation => session_regenerate_id

    How should I be managing my user
    accounts?

    You probably should not do this, because the change you make a mistake is BIG. But below are some quick tips:

    • You should use phpass to store your password in the database. Because I did notice you are not using key stretching. You should perform a benchmark, and if you can generate hashes quickly, then you are definitely not securing your passwords safely. Bcrypt is a very good for hashing(used by phpass. You should use that library), because it is Moore’s law proof.
    • Protect your users against CSRF.
    • You should read the OWASP top 10.

    I also have created a little authentication library just for the fun of it. And I think it is pretty safe although for example logout.php is still vulnerable to CSRF although this is not really a big problem(and the fix is very easy).

    • 0