The best way to create log-in realm in PHP

Question

I can do login realm in PHP and the way that I do it is by setting a session variable and check whether that session variable is set or not. On every restricted page, I check whether a certain session variable is set (or is equal to a certain value). If not, then i will send the user back to the login page. Is this the best way to do it? Is there a more secure way to do it?

Answer 1

This is fine and normal. At the top of the page, you have a header that starts a session and checks whether the user is authenticated. When they're not, make them log in.

A-OK and secure so long as your session IDs are unpredictable, expire quickly enough, and you are using SSL.

If someone can guess your session IDs, they can hijack another user's login.

If you are not using SSL, an attacker can steal the session ID when the client sends it to you.

If your sessions never expire the ID can eventually be guessed.

Answer 2

I've got a similar question on SO before, and here are the answers from security guys.

Put it short, you should think other things like SSL and password hashing, etc...

Hope this helps :)

Answer 3

There's a lot to think about when you're setting up a login system. Here are some questions you want to answer:

• Security: You need to encrypt passwords everywhere they are stored (cookies, database, sessions, etc.). How will you do that?
• Will users be able to post login to every page? Or will there be a centralized account page?
• Is there a remember me feature?
• How will users logout?
• Do you have activation at your site? How will it work? How will you deal with various scenarios such as unactivated users trying to login?
• Will you have login/form redirection? I.e., if a user goes to a page without logging in will you send them there after they login? What if they try to send a form? Will you resend the form.

You have the basic idea right, but the way you structure everything depends on those and other questions.