Forum Moderators: coopster
I am working on a PHP/MySQL discussion board project recently. One thing concerns me is the user authentication security.
Currently my login script is purely based on cookie, it simply retrieves the username from the cookie file, which I think is insecure, right? And also for sessions, since it can be overwritten by one from the same host (e.g. if the script is running on a shared host environment), it's insecure too. Maybe a combination of cookie/session/database would do the trick? But how?
If you happen to know any good resources/links or even better, ideas, please let me know. =)
Thanks in advance!
P.S. FYI, the project needs to be PHP 4 compatible.
Similar setups that I have used in the past use a session ID, stored in a cookie and in a database, along with the ip address and last access time. So if the session id is not in the database, the ip addresses do not match, or they haven't accessed a page within X minutes, then they are logged out. The IP address thing can create issues with AOL users/proxy users, but this wasn't an issue for me. Depends on your target audience though.
Chad
Thanks for your information, I will definately look into it. :)
