Hey,

I just have some questions on PHP login security,

How would I make a login script secure?

Say if I made 5 different sessions on login and check the sessions all the way through would that be secure enough?

Dan

no. Cos then if you have a script checking if the sessions exist then it will still think they're logged in even if theyre banned/their account has bin deleted...

But if you make them expire after a set time or make it check their account still exists on ever refresh then you're all good.

Some key ideas.

- Have an online table and make a session that perhaps refers to that. Store the users IP ADDRESS in it, so that any other platform that has perhaps stolen a session cannot use it. That is known as protection from Session Hijacking.
- Have timeouts. Not too short like Paypal but have them.

Thanks guys. Ok, How would a timeout script work? Any Eg's please =)

Well, if you make a sessions for example

$_SESSION["logintime"] = time();
make it set that when they login, then make a new php file and make sure you include it in the file you want them to check the login so use

include("checklogin.php");

Now in that file put:

<?php
if($_SESSION["logintime"] < time() - 86400) {
header("Location:logout.php");
}else{
$_SESSION["logintime"] = time();
}


That will check if they need to be logged out...


if($username != "") {
$real = mysql_query("SELECT * FROM `staff` WHERE `username`='$username'") or die ("Error! Please reinstall the panel.");
}
$check = mysql_num_rows($real);
if($check == "0") { header("Location:logout.php"); }

Thats a simnple way of checking if their account still exists, if not log them out...

So where does $username come from, cause in that instance it doesnt exist at all. Also the variable $check would equal false if $username was equal to nothing. Doesn't seem like you thought any of that through.

my apologies for a typo...

<?php
$username = $_SESSION["username"];
if($username != "") {
$real = mysql_query("SELECT * FROM `staff` WHERE `username`='$username'") or die ("Error! Please reinstall the panel.");
}
$check = mysql_num_rows($real);
if($check == "0") { header("Location:logout.php"); }
?>

Again where have you set $_SESSION["username"]; ?