I created a login system using PHP sessions.
Here's how it works:
1.) when the user logs in (with valid login information): Their information ( username and password ) is stored in the session, as well as several other bits of information: The Expire time : This is only 5 minutes added at the current time (so if the user login is at 22:30, the expiration time will be 22:35).
2.) At each page view of the user who is logged in: The session is checked to see if it exists. If this is not the case, the user is redirected to the login page. If the session really exists, it then checks the expire time and compares it with current time . If expire time greater than current time (user is inactive for 5+ minutes), then their user data is checked (in the session) (compared to data in the database), and the Expiretime session Expiretime updated, but if expire time less than current time , it will not check any details, updates the expire time session and allows the user to continue. Ive done this to prevent a persistent query in the database to save bandwidth.
Thus, as soon as the user successfully logs in, their username and password will not be checked in the database again until they become inactive (remain on the same page) for 5+ minutes or if they log out.
FORGET to mention something guys: The expiration session is actually called expire_time_unique_characters ( $_SESSION['expire_time_'.$unique_nu] ), which means that the evil person will also have to find $unique_nu when faking the session ...
I just have the feeling that he is not very safe.
In addition, the project for this is open source (people can see the source code), so there is an even higher risk ...
Can you guys give me some feedback?
thanks
user849137
source share