mme Posted November 7, 2010 Share Posted November 7, 2010 Hi, I have just started learning about sessions to use with a login system with SQL Now I was wondering if my method is secure? When login in before setting the $_SESSION variables I use the session_regenerate_id() function. All passwords and ids are stored as SHA-256 hashes in the MySql DB. I use the mysql_escape_string() and htmlspecialchars() functions to sanitize the input values of all DB query's and SESSION variables. Also the login page can only have 3 wrong attempts before the user is locked out. with a captcha after the first attempt. Once the user logs in on each 'protected' page it checks the variables in the $_SESSION variable against the DB value on each page if they do not match then it brings the user to login page. Also on start of each page: if (isset($_REQUEST['_SESSION'])) {die('No Hacking');} Just wondering am I missing something? Thanks, mme Quote Link to comment Share on other sites More sharing options...
rwwd Posted November 7, 2010 Share Posted November 7, 2010 Well if your trying to access sesssion data, don't use the $_REQUEST global, access them directly with $_SESSION['a_name_here'] so your example would be best done like this:- if (isset($_SESSION['yourSessionVar]) && !empty($_SESSION['yourSessionVar])){ echo "session exists, here is your secret page"; } else{ echo "No hacking"; header(back to login page url here); exit; } Something along that line would be a better way of validating a session... Everything else sounds fine though ;p Rw Quote Link to comment Share on other sites More sharing options...
mme Posted November 12, 2010 Author Share Posted November 12, 2010 Thanks for your feedback, I was only using $_REQUEST for that one line of code the rest of the code was like you suggested. Now I have also added a session timeout using the DB so when no activity is made for x amount of minutes the session is 'deactivcated' and the user is redirected back to the login page. Any other suggestions? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.