Making User Login System Secure with $

 

I am hoping that someone can help me out here, I am creating a PHP web app that requires a user to login to view there data in the mysql database.

I just want to know if this is a good approach and is it secure enough? I know that nothing is secure in PHP scripting but I need this fairly secure.

So here is what I am doing step by step, if you could point me in the right direction and tell me what is wrong that would be great!

  • User logs in with user and password.
  • PHP checks user and password against the database.

  • If OK, I store the $SESSION["username"]; (There username) to the session.

  • On every request/page load I have a function (below) to check the session.

    function check_session_valid(){ if(!isset($_SESSION['username'])||$_SESSION['username'] == ""){ header("Location: /login.php"); } }

    • Now is this safe or am I doing this all completely wrong?

    Here is what I am thinking that the user could do to "hack" the app:

    On the registration page, when the user enters there username it will let them know if the username is available.

    So could the "hacker" not just find a username that is not available and then write a PHP script to set the $_SESSION["username"] in there browser. Then navigate to the .index.php page and be logged into some other users account?

    I am also using "session_start();" before I "check_session_valid();" on every request, is that wrong?

    Hope some of you PHP experts out there can help me out here!

    Thanks

    I have read your post. You have said that "nothing is secure in PHP scripting " really shock me. let me try to answer your question.

    You have said if hacker create a cookie in browser can they hack my session? my answer is no. Lets learn how actually session works.

    First, when you start session it will create a file in your server with a random file name and a random serial number (session_id) and it will be store in your browser.

    Second, when you will add/edit values into your session using $_SESSON then based on your session_id got from your browser cookie in a file it will be change. you can say session id work as a reference between your browser & your server session file.

    So there is no possibility of hacking of session if you do not provider hacker the session_id that remains as a cookie.

    链接地址: http://www.djcxy.com/p/60238.html

    上一篇: SERVER ['HTTP

    下一篇: 用$确保用户登录系统的安全