Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What is the best way to securely authenticate a user ?
So far I was thinking of:
$SALT for each successful login and store $logged = md5($hashed_password.$SALT) into database; delete on logout.$logged into a cookie (If user checked “remember me”). Set $_SESSION['user'] = $logged;$_SESSION['user'] is set; if not, check for cookie, if data doesn’t match, redirect to login page.What are the risks ?
The only issue I can see with your existing framework (which I like otherwise) is that there is the possibility of collision for
$logged.It is not mathematically impossible for two valid user log-ins to result in the same hash. So I would just make sure to start storing the User
idor some other unique information in the Cookie as well.You may also want to keep a timestamp of when the
$loggedwas put in the DB, so that you can run cleaning queries where they are older thanxdays/weeks.