Page 1 of 1

secure login - pointers

Posted: Tue Oct 31, 2006 11:21 am
by sh33p1985
after completing the coding of the admin area of my website its time to implement a *secure* login to be able to access it.

this is my first real attempt and using sessions and cookies and while i understand what they are and how they differ from eachother im wondering if there is a best practice about setting up something like that.

it is a single user login (for now at least) and id like to be logged out after xminutes of inactivity.

first of all the database...

Username
Password (md5 encrypted)
IsLoggedIn (flag denoting whether or not i am logged in - is this needed? personally i think i could bin this)

am i missing any useful fields?

next the authentication...

verifying the username and password is straightfoward enough (comparing the md5 encrypted form of the input password against the value stored in the database before proceeding).

this is where i become unsure; do i now create a session before redirecting the user the index page of the admin area? or after (1st line of index.php for example).

from here id register the isLoggedIn variable with the session in order to check if the user is still logged in before displaying each page withn the admin area - seems logical enough to me.

the real problem is the logout after xminutes of inactivity.

sessions arent destroyed until you destroy them yourself so for this feature would cookies be the best way to handle it?. maybe having the session check for the existance of a cookie which says you are logged in, if it is not found then your session has expired and you are returned to the login screen, if it is found the timer on the cookie is reset. again any pointers here would be much appreciated just incase i have misunderstood their use.

Thanks for any help

Posted: Tue Oct 31, 2006 12:35 pm
by nickvd
May I direct your attention to the following tutorial by Maugrim_The_Reaper: viewtopic.php?t=38810

Posted: Tue Oct 31, 2006 12:50 pm
by sh33p1985
thanks, are there any good tutorials on sessions and cookies to get me more invloved in them? the ones i managed to find basically covered the bare minimum of functionality and were'nt really that useful.