I’ve created a login system using PHP sessions.

Here’s how it works:

1.) when the user logs in (with the valid login info):
Their info (username and password) are stored into a session, along with a few other bits of info:
The Expire time: This is just 5mins added onto the current time (so if the user login is at 22:30 the expire time would be 22:35).

2.) On every page view of the user being logged in:
The session is checked to see if exists. If it doesn’t, the user is redirected to the login page. If the session does exist, it then checks the expire time and compares it with the current time. If the expire time is more then the current time (the user has been inactive for 5+ mins) then their user details (in the session) are checked (compared to ones in database) and the Expiretime session is updated, but if the expire time is less then the current time, It wont check any details, updates the expire time session and will allow the user to carry on. Ive done that to prevent constant querying on the DB to save bandwidth.

So basically, once the user has successfully logged on, their username and password wont be checked on the DB again until they either become inactive (stay on one page) for 5+ mins or if they log out.

FORGOT to mention something guys:
The expire time session is actually called expire_time_unique_characters ($_SESSION['expire_time_'.$unique_nu]) which means the evil person will also have to find the $unique_nu when faking the session…

I just have this feeling that its not very secure.

Also, the project this is for is open source (people can see the source code) so that poses an even higher risk here…

can you guys give me some feedback?

Thanks