Login security and session handling in PHP

[mhitland]

Hello. Hope some of you can give me an advice. I'm a starter in PHP, and trying to learn a bit about security. (I've got PHP running as an Apache module and a MySQL server.)
What I'm wondering about is how I should construct the login function to prevent someone from stealing userid's and passwords on logon, protecting a session and so on...
I have created a simple form that submits the username and password as POST-data, and a way to destroy the session on logout, but when I navigate back in the browser, the id and password are sent once again as POST-data and the user gets logged in again. Should I do this some other way?

 

[DRJ478]

You should read a little about basic authentication with Apache using .htaccess files.
You can also build a login system that is database based and keeps track of the IP in combination with the user. That works for 99% of all users, just people behind a proxy servers (like AOL) would have to reauthenticate when their proxy server changes.

You can take care of most re-submitting pages with post data by having a timestamp hidden field somwhere and keeping track of that, comparing it to the current time. Older submissions are redirected to re-authentication. Also, make pages expire.

 

[mhitland]

Thanks!

I'll do some reading

 

[MichiganRon]

mhitland,

Check out www.hotscripts.com for tutorials and scripts to do what you want. Research several options. Some are better than others. Finally, once you have a good idea of what you want to do, build it.

The tips & tutorials for user authentication can be found here:

http://www.hotscripts.com/PHP/Tips_and_Tutorials/User_Authentication/index.html

Good luck,
-Ron

-We are all given the same deck of cards, it's how we play the hand we are dealt which makes us who we are.