By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,053 Members | 1,615 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,053 IT Pros & Developers. It's quick & easy.

implementing login/logout (new to php)

P: n/a

i need to implement a secure web site in php and mysql but i have just
started looking at php a few days ago, and i would appreciate any advice
from the experts.

the site, as i said, will have a login/logout functionality, and no access
will be allowed to any pages (except for the login page) without login.

i have read on various authentication tactics on the web and decided to:
- always force secure connections from each authentication protected page
- have a plain html login page and send the credentials with this form
- when the user submits the form, look the credentials up in the database
and if they match, create a new session for this user
- if the user does not have a session then assume that this user is not
logged in
- to logout, destroy the user's session

my questions are:
- i assume that a session can either exist or not for a user, and there is
an API that i can call explicitly to create and destroy sessions, correct?
- i can store session ids either in cookies or in the url, and i chose to
use non-persistent cookies, can i control the persistence of session cookies
and the way the session id is sent to the client (in a cookie or in a query
- for more security i will store the user's IP in the session, and blow the
session away if the IP does not match which might indicate that someone else
stole the session cookie or otherwise got someone else's session id, would
this help at all? somethign else to check to see if the session id might be
- can one just guess a session id? maybe by generating numbers on a machine

any suggestions on maybe a better way to achieve this?

would appreciate any advice!
Jul 17 '05 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.