Hi,
I have a quick favour to ask - would someone please check over this concept for me?
Basically I need to generate a login script and while time is on my side I want to invest in writing my own so that I fully understand and can fully control what is going on.
When a visitor applies for membership they assign themselves a password that is hashed and stored in the database. I do not have, nor do I want a remember-me (stay logged in) function, in the days of modern browsers this seems a bit pointless. That aside, I have planned the process for the login and was hoping someone might be able to point out any flaws with it.
At the top of each page is the login form - two text boxes and a button.
1) The user completes the details and clicks 'Login'.
2) The login script stores what page they are currently on.
3) The form is written with the current page as the action and post as the method.
4) I have a file that hashes the password and then checks the database. This file is included at the very top of every page.
5) If the details are correct then they see the page they were on at the start of this process and the login controls are replaced with a link to the members area and certain items on the navigation bar become available. I then store true to $_SESSION['isLoggedIn'].
6) If the details are wrong they go to a page with the controls on a link to request a new password.
I should say that the navigation is controlled by a database and the user details are also stored in a database.
I know that this is a high level of abstraction, even for pseudo code, but does this process flow sound ok?
I would really appreciate some feedback or pointers - pitfalls to avoid, that sort of thing.
Cheers
nathj