Phil (flameswithin) wrote in php_dev,
Phil
flameswithin
php_dev

  • Mood:
  • Music:

Security in websites, part deux....

alright, so, i finally got around to designing my 'security system' for my family's website. here's how it'll work:
  1. user enters their username and password into an html form. a javascript function will confirm that both are between 6 and 16 characters long
  2. if they, are, they'll be passed to login.php which will double check the lenghts of the two strings, and then confirm that neither one contains anything but letters and numbers. if they don't pass muster, the user gets rerouted to the html login form.
  3. if the above two criteria evaluate to true, then a SQL query will run to see if there's a matching username and password row in a database.
  4. IF SO, the script calls session_start() and $_SESSION['UsrIsLogdIn']=true;. the script then redirects them to the rest of the site.

now, each page on the rest of the site will do a check like this:
if ($_SESSION['UsrIsLogdIn']!==true) {
     header("Location:index.php");
     exit();
}


do you all think that this is good security? do you see any problems, loopholes, other ways in or ways to emulate the session variable being set to true? is there anything else i should add or make the pages check for?

thanks for your help :)

[Edit: oh, and what do you think is the best way to handle the user logging out? just setting $_SESSION['UsrIsLogdIn'] to false?]
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded 

  • 1 comment