hello,
i need to implement a secure web site in php and mysql but i have just
started looking at php a few days ago, and i would appreciate any advice
from the experts.
the site, as i said, will have a login/logout functionality, and no access
will be allowed to any pages (except for the login page) without login.
i have read on various authentication tactics on the web and decided to:
- always force secure connections from each authentication protected page
- have a plain html login page and send the credentials with this form
- when the user submits the form, look the credentials up in the database
and if they match, create a new session for this user
- if the user does not have a session then assume that this user is not
logged in
- to logout, destroy the user's session
my questions are:
- i assume that a session can either exist or not for a user, and there is
an API that i can call explicitly to create and destroy sessions, correct?
- i can store session ids either in cookies or in the url, and i chose to
use non-persistent cookies, can i control the persistence of session cookies
and the way the session id is sent to the client (in a cookie or in a query
string)?
- for more security i will store the user's IP in the session, and blow the
session away if the IP does not match which might indicate that someone else
stole the session cookie or otherwise got someone else's session id, would
this help at all? somethign else to check to see if the session id might be
stolen?
- can one just guess a session id? maybe by generating numbers on a machine
etc?
any suggestions on maybe a better way to achieve this?
would appreciate any advice!
thanks
konstantinos
