Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
this is what I’m doing currently to create sessions on login page.
if($count==1) {
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
}
i know this is very basic and I need to protect the user sessions. Can u provide me some basic tips. If you could edit the code and write the secure one, it would be great. Thanks.
Currently, I am using the email address as session username.
Ask your self this question:
After you have answered that you should of come to the conclusion that its pointless, you can either store the username or the user id in the session when it comes to login systems.
How login systems tend to work is that the user sends the username password from a form to the server where its validated, during the validation process you select the user from from the database
where username = post_username.If there is no rows found the user does not exists so you can directly send output at that point, if the user does exist you then compare the password with the post_password.
the reason why we specifically select the row by just the username is that you should be incorporating some sort of hashing system to add extra security.
if you stored the password as (password + hash) which would be a new string, you would also store just the hash aswell, thus if a user is found then you can create a hash from
(post_password + db_hash)and check to see if its the same as thedb_password.this way if your database gets leaked somehow your users credentials are more secure.
once the user has been validated you would store the user id within the session, and then on every page load you can check if the id is within the session and if it is the user is currently logged in and you can select the users data by
SELECT * FROM users WHERE id = session_id.This should get you started.