I’m in the process of trying to make a secure PHP based login system but have come across something I’m unsure how to approach.
After a user is logged in, what is the best method of checking they that they are logged in on subsequent pages? Currently I’m setting session variables but should I use another method too? Should I generate a unique ID each time they login, if so how would I use this? Store a copy in the database & as a cookie and compare them on each page load? Or any other methods you guys can think of.
Thank you all in advance.
I aways use the session approach, but if you want to be very secure (prevent sessions hijacking) you could save the current IP and some other characteristics of the user in a MD5 hash in the database along with the session ID. Then, when a page is opened after login you can regenerate the MD5 hash with client properties and check that with the session ID in the database. That way it would be much harder, if not impossible, to hijack a session. Of course the ‘mysql session’ must be deleted, or in any case not reused, because the user might change computers etc, but it would prevent hijacking the active session.