I've never "Learnt" how to make a login script just sort of assumed how to do it so i was wondering if my way was bad lol, here's a description.

Username and password stored in database (password md5'ed).

When the user attempts to login then it will check the database to see if the info matches.

If all is well at this point then in a sessions table it will insert the username, a random code and there IP address.

Then a cookie is set with a base64 encoded serialized array, in the array is the id of the session in the database, username and random code.

Then if they try to view a members page it will check that the info from the cookie and the users ip address matches that in the database.

Is this bad ? lol

Make sense? :)

Im no expert, but one should be a little carefull with trusting that the IP stays the same at all times.

I would not rely on that.

And the IP could be the Same for a multitude of users if there from the same ISP for example.

Anyone else ?

__________________
Of course the whole point of a doomsday machine, would have been lost if you keep it a secret.

Yes i know that relying on an IP address wouldn't really do but no only does the IP address have to be the same but the ID of the user session, the username and the random code which is encoded has to match the database record so i figured it would be extremely hard for a hacker to get a row inserted into the database with there random code and so on?

Trouble is with the IP address is that some ISPs, such as AOL, their IP changes on every page request and so any end-user on your website using AOL, or other ISP that go down the same route with their IPs, would be required to login in every single time.

Moreover, for your passwords you'll no doubt be wanting to apply a salt to them and then MD5ing them together.

Working with Dynamic Cryptography Salts
Cryptography's Sodium Chloride

__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.

I have been using a salt on the passwords :).

Does any one have a link to a tutorial where they have a good method for user sessions?

What I was thinking about was setting multiple cookies, one with session id and other info serialized as well as another setting a value that is updated in the db everytime the user changes pages. I plan to check to see if cookies can be set, if not then sending them to a page explaining that you need to have cookies turned on to use this site sort of thing. Obviously when someone logs in regenerate their session id at time as well.