Hi Guys,
Im strictly a hobbyist with php and mysql development and have made a site for a bit of fun for my bosses company. Its a private site for us to store a few jobs and things. Its written completely by me and as its written using PHP5 and MySQL.
Ive done my best to make it as secure as possible but im sure there are better ways of handling sessions and logging in etc...
basically, i have a login page that displays a form asking for username and password. This submits using "post" to a php script that checks that against the database for a valid user.
If the number results is 1 then it sets a session variable like so..
$_SESSION['db_is_logged_in'] = true;
This is then checked on every other page in the site. If $_SESSION['db_is_logged_in'] is found as not true, the user is redirected back to the login page.
I have noticed on occasion that the site will just revert back to the login page. This is especially true when logging in via mobile devices.
I've had a bit of a read and a suggested alternative is to save a cookie with a random session id variable and to have any specific session data saved to the database. is this a better way of doing things? im assuming this way would be susceptible to being sniffed if i was to access the site from a public hotspot?
I would be gratefull for anybody elses thoughts on security/authentication and best practices.
Thanks
Im strictly a hobbyist with php and mysql development and have made a site for a bit of fun for my bosses company. Its a private site for us to store a few jobs and things. Its written completely by me and as its written using PHP5 and MySQL.
Ive done my best to make it as secure as possible but im sure there are better ways of handling sessions and logging in etc...
basically, i have a login page that displays a form asking for username and password. This submits using "post" to a php script that checks that against the database for a valid user.
If the number results is 1 then it sets a session variable like so..
$_SESSION['db_is_logged_in'] = true;
This is then checked on every other page in the site. If $_SESSION['db_is_logged_in'] is found as not true, the user is redirected back to the login page.
I have noticed on occasion that the site will just revert back to the login page. This is especially true when logging in via mobile devices.
I've had a bit of a read and a suggested alternative is to save a cookie with a random session id variable and to have any specific session data saved to the database. is this a better way of doing things? im assuming this way would be susceptible to being sniffed if i was to access the site from a public hotspot?
I would be gratefull for anybody elses thoughts on security/authentication and best practices.
Thanks