I have coded a couple of applications and for logging in users, I do the following:
- ask the user for a username
- create a password
- salt and encrypt the password
- store the username and encrypted password in a database
- e-mail the user his password
- on a login page, ask the user for his username/password pair
- salt and encrypt the password provided by the user
- compare the encrypted password value to the one stored in my database
- if the encrypted value matches I do a session_start() and store the user_id in a session variable.
- on every page I do session_start() and check the session variable for the user_id
- if the user_id is not found redirect to the login page if it is give them access to whatever they should have access to.
Now, I have inheritted a program that I did not write and it handles authentication using the PEAR:Auth module. I had a user complain that he was being repeatedly redirected tot he login page. I could not replicate his problem and closing and re-opening his browser solved the problem on his end, but I'm assuming he's not insane so I am tempted to rip out the existing PEAR:Auth methodology of tracking users and replace it with what I am used to. However, PEAR:Auth must do more than php sessions or nobody would use it so I worry that if I replace it I will eaither be making things less secure or losing some functionality. Try as I might, I can't see what I'd lose by replacing PEAR with something simpler. What am I missing? What does PEAR:Auth give me that php sessions doesn't?