Sessions Security
Posted: Thu Mar 16, 2006 12:52 pm
I currently use sessions for users logging on to a client's web site. I know that the method I use is not secure. I was wondering how I could make the login.php script more secure (md5, different session settings, naming the session), the somepage.php more secure and if the logout.php script is adequate. I really don't think I need to save the session_id() because all I am using the session for is to gain access, after they log out I don't want any thing saved as far as sessions go, I want them all erased on logout, even the session_id if possible? The code I currently use is listed below:
login.php
somepage.php
logout.php
P.S. Sorry about the duplicate options on the poll, when I came back in to edit them they were not available for edit.
feyd | I've rebuilt your poll.
login.php
Code: Select all
<?php
include("connect.php");
$username = strtolower(trim($_POST["username"]));
$password = strtolower(trim($_POST["password"]));
$result = mysql_query("SELECT * FROM users WHERE username='$username' && password='$password'");
$row = mysql_fetch_array($result);
if(!$_POST["username"]) {
header("Location: index.php");
} elseif(!$_POST["password"]) {
header("Location: index.php");
} elseif($username == $row["username"] && $password == $row["password"]) {
$result = mysql_query("SELECT username,user_code,account_type FROM users WHERE username='$username'");
$row = mysql_fetch_array($result);
session_start();
$_SESSION["user"] = $row["username"];
$_SESSION["user_code"] = $row["user_code"];
$_SESSION["account_type"] = $row["account_type"];
header("Location: index.php");
} else {
header("Location: index.php");
}
?>Code: Select all
<?php
session_start();
if($_SESSION["account_type"] !== "Customer") {
// Do not allow access
header("Location: logout.php");
}
if($_SESSION["account_type"] == "Customer") {
// Allow access
}
?>Code: Select all
<?php
session_start();
session_unset();
$_SESSION = array();
session_destroy();
header("Location: index.php");
?>feyd | I've rebuilt your poll.