On Sat, Feb 9, 2013 at 3:59 PM, Tedd Sperling <t...@sperling.com> wrote:
> On Feb 9, 2013, at 2:00 PM, Jonathan Eagle <jeo...@attglobal.net> wrote: > Jonathan: > > No offense to your routine, but you may want to review this: > > http://sperling.com/php/authorization/log-on.php > > If anyone finds an error, please post. > After successfully logging in, the session id should be regenerated to prevent session fixation: http://php.net/manual/en/function.session-regenerate-id.php http://shiflett.org/articles/session-fixation Requests should be sent over https to prevent session hijacking (if you'd rather avoid paying for a cert for your site, you could just document this): http://stackoverflow.com/questions/22880/what-is-the-best-way-to-prevent-session-hijacking http://php.net/manual/en/function.session-set-cookie-params.php Even though this isn't a big deal for an example that only makes use of one password, and that password isn't likely one that you reuse anywhere else, for the sake of educating the masses, salting the password would be a nice addition: https://github.com/ircmaxell/password_compat https://gist.github.com/nikic/3707231 Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
