after completing the coding of the admin area of my website its time to implement a *secure* login to be able to access it.
this is my first real attempt and using sessions and cookies and while i understand what they are and how they differ from eachother im wondering if there is a best practice about setting up something like that.
it is a single user login (for now at least) and id like to be logged out after xminutes of inactivity.
first of all the database...
Username
Password (md5 encrypted)
IsLoggedIn (flag denoting whether or not i am logged in - is this needed? personally i think i could bin this)
am i missing any useful fields?
next the authentication...
verifying the username and password is straightfoward enough (comparing the md5 encrypted form of the input password against the value stored in the database before proceeding).
this is where i become unsure; do i now create a session before redirecting the user the index page of the admin area? or after (1st line of index.php for example).
from here id register the isLoggedIn variable with the session in order to check if the user is still logged in before displaying each page withn the admin area - seems logical enough to me.
the real problem is the logout after xminutes of inactivity.
sessions arent destroyed until you destroy them yourself so for this feature would cookies be the best way to handle it?. maybe having the session check for the existance of a cookie which says you are logged in, if it is not found then your session has expired and you are returned to the login screen, if it is found the timer on the cookie is reset. again any pointers here would be much appreciated just incase i have misunderstood their use.
Thanks for any help
secure login - pointers
Moderator: General Moderators
-
nickvd
- DevNet Resident
- Posts: 1027
- Joined: Thu Mar 10, 2005 5:27 pm
- Location: Southern Ontario
- Contact:
May I direct your attention to the following tutorial by Maugrim_The_Reaper: viewtopic.php?t=38810