Account Login Review
Posted: Thu Mar 19, 2009 2:54 am
I'm a coder new to the realm of websites. I'm working on a personal website and was hoping I could ask the pros here if my understanding of a "secure" login process is decent. I hope you don't mind that I'll be using a combination of pseudo and php 
login.php
Login form has two fields (username/password), as well as a captcha
[/login.php?do=login]
Now, on every page the requires the user account to access make sure that:
login.php
Login form has two fields (username/password), as well as a captcha
[/login.php?do=login]
Code: Select all
session_start();
$pass = mysql_real_escape_string($_POST('password'));
$pass = sha1( trim($pass) . trim($salt) );
$user = trim(mysql_real_escape_string($_POST('username')));
$sql = "SELECT * FROM users WHERE `username` = '$user' AND `password` = '$pass' LIMIT 1";
$result = $db->getrow($sql);
IF ( $result) {
session_regenerate_id();
$_SESSION('client_hash') = sha1( $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR'] );
//Create session variables
} ELSE {
session_destroy();
}- $_SESSION('client_hash') = sha1( $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR'] )