Do you see any evident vulnerability in it?
How "secure" is it in your opinion?
Let's assume that the user data (user name, md5(pass), city, etc) is already saved in the Database...
1°) form with with login and password fields, as usual
a- test wheter there is no empty field
b-mysql_real_escapestring both user and pass
and then:
Code: Select all
if ($row->password_users == $a_pass){
$id_sesion = md5(uniqid(rand(), true));
$id_para_cookie = md5($id_sesion);
setcookie("UserSession", $id_para_cookie);
$_SESSION['UserSession'] = $id_sesion;
$_SESSION['Logued'] = true;
*$_SESSION[user_data'] = array (all the user data needed here. )...
*This could be read from the DB to not making available that info on a shared server through session filesAnd when I want to see wheter the current user is logged in or not
Code: Select all
if ($_SESSION['Logued'] != true){
return false;
}
$id_sesion = $_SESSION['UserSession'];
$id_para_cookie = md5($_COOKIE['UserSession']);
///si el cookie no coincide con el numero de session almacenada en el server...
if ($id_sesion != $id_para_cookie){
return false;
}