Is there anything wrong with using this for authentication...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is there anything wrong with using this method for authentication to
login into an application then to make sure that only the user that is
logged in able to use/see the application.

1. after submitting the form, the username and password are used to
query the database, and if that combination is found, I do the following

$_SESSION['current_user'] = session_id();
header("admin/main.php");

I have a header.php file which is included in every page, and the code
on this page is the HTML header for my application (navigation, images,
etc.) but more important right now is <a href="<? $_SERVER['PHP_SELF']
?>?logout=logout">Logout</a>

Then in header.php, I include another file called verify_session.php
which has the following code

if ($_SESSION['current_user'] != session_id())
	header("login/login.php");
if ($_REQUEST['logout'] == "logout")
{
	$_SESSION['current_user'] = NULL;
	header("login/login.php");
}

here is a semi complete example

<?
include_once("header.php");
?>

some page content

<?
include_once("footer.php");
?>

And in header.php I have

<?
include_once("access/verify_session.php");
?>
<html>
<head>
	<title>Title of my page</title>
</head>

<body>
<table>
<tr>
etc, etc, etc....

So in summary, is there anything wrong with this logic?  Can it be
easily hacked?  Is it best practice?

I have used it in many applications and it works perfectly, however, it
has come into question (despite the fact that it has not failed).  My
usernames are stored in the db as plain text and the passwords as md5.

Any advice would be greatly appreciated.


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux