I've never built a login system from the ground up so I just want to run my thought process by you guys and make sure I'm thinking about things right.
Usernames and pws are stored in a table pws are md5 hashed.
If a user puts in a successful un pw combo, I insert a record into a temp table. It stores their userid, sessionid, and date modified.
On any given page, the first function I call is my check permissions function which pulls their session id to see if it exists in that table. If it does, it makes sure their permissions level is correct. If so, nothing happens. If not, then I call header("Location: http://example.com/login");
Is there anyway someone could subvert this? If so, how can I make it secure? thanks!