andostini Posted September 15, 2014 Share Posted September 15, 2014 (edited) Hey guys, I'm programming a very tiny CMS and I just wanted to ask, if you think that this login system is secure enough. The user data is stored in a MySQL Database. Logging the user in after verifying his login data: $_SESSION['username'] = $usernameinput;$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];session_name("sid");session_set_cookie_params(1800);session_cache_expire(1800); Checking if the user is logged in: if (isset($_SESSION['username'] and $_SESSION['addr'] == $_SERVER['REMOTE_ADDR'])) { //SHOW WEBSITE {else { //SHOW LOGIN FORM } To logout a user, I simply use the session_destroy() function. I would be very greatful about your opinion and advice. Fabian Edited September 15, 2014 by andostini Link to comment Share on other sites More sharing options...
thescientist Posted September 15, 2014 Share Posted September 15, 2014 no password checking? is username coming directly from GET / POST data? Also, won't this always be true? $_SESSION['addr'] == $_SERVER['REMOTE_ADDR'] Link to comment Share on other sites More sharing options...
andostini Posted September 15, 2014 Author Share Posted September 15, 2014 The first code snippet comes after checking the password. So it will only be executed, if the login data the user typed in was correct. Link to comment Share on other sites More sharing options...
justsomeguy Posted September 16, 2014 Share Posted September 16, 2014 You need to call all of those session functions before starting the session, not after. They have no effect if you call them after, the session cookie has already been sent. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now