Home/ Questions/Q 3331502
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T23:35:26+00:00

I have a classifieds website which I am creating a login system for… In

  • 0

I have a classifieds website which I am creating a login system for…

In the code below, a form with “username” and “password” has been submitted to. Also a “remember_me” feature is available (Code is not tested yet):

else if($row['password']===$pass){
    session_start();
    $_SESSION['logged_in'] = '1';
    $remember_me = isset($_POST['remember']) ? $_POST['remember'] : '0';
    if($remember_me=='1'){

        $text = "SECRET_TEXT_AND_NUMBERS_HERE";
        $username= $row['username'];

        $salt1 = sha1($row['alt_username']);
        $salt2 = sha1($text);

        $cookie_value = $salt1.':'.$username.':'.sha1($row['alt_username'].$salt2.$salt1);

        setcookie("s_b", $cookie_value, time()+60*60*24*100, "/");

    }

}

Now, is this code a good start for a login page?

Also, an important follow-up question to all this, if users want to stay logged in, do I then set a $_SESSION variable like the one in the code, and just check if that is set in the beginning of all pages on the site?

 if(isset($_SESSION['logged_in'])) // Then user is logged in already

or do I check to see if the cookie created in the login page is set instead of checking the session?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    logging in is about security; security is always more difficult then it seems.

    There are a couple of things that you could improve in your code. first:

    the security for your password is in the strength of the hasing algorithm. You choose to use sha1 (better than md5, but could be improved by using sha256 or bCrypt if you use PHP version >= 5.3)

    First
    The salt you use is supposed to be a random value, stored alongside the hashed result.
    in other words, the value to store in your database is:

    $salt = [some random string of predifend lenght]; // Let's say 16 characters in length
$storedValue = $salt . sha256($salt . $password);

    you check the password:

    if ($row['username'] == $_POST['username']  && substr($row['$storedValue'], 16) == sha256(substr($row['$storedValue'], 0, 16) . $_POST['password'])) {
    // login ok
} else {
    // login fail
}

    (better yet)
    Use a proven library for the password hashing stuff, take a look at: Portable PHP password hashing framework and try to use the CRYPT_BLOWFISH algorithm if at all popssible.

    Second
    You should only store the session key in the session cookie. all other information is stored on the server.
    The session cookie is already send out by PHP’s session_start() function call, so you do not have to worry about this anymore.

    if you want to check the sessions lifetime, you should store this information in the session array:

    $_SESSION['lastActivity'] =  time()+60*60*24*100;

    Third
    The remember me token is a ‘password equivalent’ so you should only store a hash of the token in your database, just treat it as a password, only this ‘password’ is not typed by the user, but read from the cookie.

    • 0