On my website that I’m developing I’ve already got all my login sorted, and it works correctly, including session saving.
To improve the user’s security and privacy I’d like to implement some kind of “confirm your password” page whenever the user requests to view a sensitive page (such has an activity log, or changing some settings) to further prevent against session hi-jacking. I am, however, not sure how to go about doing this.
I’m unsure of the security best practises for this, and as this project site is a learning curve for me, I’d appreciate being taught.
The structure that I think I’m aiming to achieve may be like this: current page --(user goes onto history log)-> Please confirm your password --(user gets the correct password)-> history log page 1 --(user wants the next page of the history log)-> history log page 2 --(user goes to the home page)-> home page --(user goes onto history log)-> Please confirm your password --(user gets the correct password)-> history log page 1
From what I understand about doing this correctly I need to make it so that once the user navigates away from the History Log they’re no longer authorized to view it.
If someone could provide some tips on how to do this I’d be greatly appreciated. I’ve tried to search for some tutorials, but couldn’t find any (it’s completely possible I chose bad search terms), if someone could even just offer a link to a tutorial then that would be greatly appreciated too.
Thanks, Jordan.
I would simply add a $_SESSION variable for this user that gets reset when he navigates on any page that is not the history log.
Further more, i’d use a general mechanism like this:
On all your pages, set a
And then, include a small snippet that does:
Is that of any help?