Quote:
I also see some major security issues:
1. No SQL cleaning that I can see
2. No validation, you merely stick the users username in the cookie (cookies can be created and modified by the user)
|
Ok I have had a goodnight sleep to think about everything you said.
1. While I am not sure why I would need SQL cleaning? as I googled SQL cleaning, and got no where - so maybe you can explain.
2. I forgot to place the $username = $_POST['username']; and $password = SHA1($_POST['password']);
- Yes I am using SHA1 not MD5 the main reason is I was informed by someone in (a Big Y! company) that MD5 was able to be hacked?
As for cookies this is how it will be done.
The user will get a random 100 number string which will be saved into the DB.
If the user logs out then that Random ID number would get deleted.
The Random ID is linked to the users ID number for that session.
No two Random ID can be the same for a session, with a session lasting about 15 min if the user is idling.
Meaning I would need to set up cron job or something, to check that it has been 15min between the last timestamp and now.
Let me know your thoughts.