I am creating a script that others will post on their sites. It is intended for people with limited PHP knowledge, so all they need to do is enable () the script and set some configuration variables. This means that headers are probably already sent, so using sessions may not work. I recommend that they call session_start in their own scripts, but I also want the backup option.
I already have hidden input for processing forms, but I also need links to add a query string to their URI to identify the session. But if the hash is based only on password + salt, then there is a security risk: the user who is logged in can click the external link, and the owner of the external site can see the URI with a hash in their referrer logs. All they need to do is use this hash and they will log in.
So I want to salt the hash based on time, limiting the session to 10 minutes. I can’t figure out how to do this. Of course, I can use time () to salt it, but how to check how many years a session is based only on a hash?
source
share