Home/ Questions/Q 7862755
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T23:16:03+00:00

I’m making a new login system to practice my PHP, since the last one

  • 0

I’m making a new login system to practice my PHP, since the last one I made was pretty insecure as I’ve found out with the more I’ve learnt…

Anyway, essentially I’m getting a little confused about how to truly make it secure. A lot of answers to similar things regarding this state that authenticating a user per-page isn’t necessary; that they just need to be authorized. However, say for instance I wanted to make it possible for users to force all users currently logged into an account to be logged out when the password for the account is changed (in practice the person who changed the password would be kept logged in, that’s a simple enough task…).

The only way I can think of this working is if the password is stored somehow, so that it can be compared with a users credentials in the database.

Essentially, I have a few questions because of this:

  1. Why do most people think it isn’t worth making a login system work this way?
  2. Is there some ridiculously easy way of doing this that I’m overlooking? (Either way, if anyone can direct me to a way of doing it I’ll greatly appreciate it!)
  3. When making a login system remember you, what should be in a cookie for it to be secure and for it to still remember you?

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Good security relies on multiple levels of authentication… storing authentication data in sessions and cookies and encrypting passwords etc.

    to answer your question as to how this could work.

    You could build a basic authentication class that after authenticated users, stores a cookie and sets the session variable(s) including a password hash. Whatever method you use to verify a user is authenticated on each page can check the database for the password compared to the hash. and if it has changed the authentication would fail.

    You can ensure that a cookie be set over a https connection. if its not https it won’t set a cookie however. There is also a parameter in the setcookie function that enables you to limit the cookie to http only so javascript can’t get a hold of the cookie like cross site scripts ect. http://php.net/manual/en/function.setcookie.php

    Security is all about understanding how something works and how it CAN be exploited.

    • 0