On one of my websites, I want to add a "login" feature. This is how I was thinking about doing it - The user enters their username and password in the form The resulting PHP page tries to match that username and password to one in a MySQL database If that combination is not found, they are redirected back to the login page with a ?login=failed query string attached If that combination is good, a session is created with a random 20 character string as a value and the username as a value Two cookies are also created, one with the random string and one with the username Every page of the "my account" section will check both the 20 character string and the username cookies to make sure they match the session If either one doesn't match, or the session no longer exists, they are considered "logged out" What do you guys think?
Thanks for the response, crivion. Would you recommend something else? I'm looking for the most secure, or at least the "industry standard" for login systems. Thanks!
What is the point of the username cookie? You can just store that in the session. It doesn't provide any additional security. It's possible that a browser can be coerced into sending cookies on a forged request. If your site has interactive forms, you may also want to send a token with each form and confirm that you get the same one back in the posted variables - one more layer of confirmation that you're dealing with who you think you are. Some sites will also drop the login if the IP address changes, but that can be quite annoying for users on certain proxy servers, mobile devices, etc., who may have their external IPs constantly changing.