I have been working very hard to write the most (hopefully) state of the art log-in and remember me features of my script with security in mind.
After hours of testing and getting everything to work i have bumped into a problem with a simple but awkward solution. User logs in, if remember me is checked, cookie is created, when user comes back to website the initiate function checks for cookie, if cookie is present and matches the auth_key value in database, the function will pull user login info (email, password) and use the login function to log the user back on. Problem is that the code/tutorial i was using is designed for an un-encrypted database password (for example purpose i suppose) and the system is trying to "bcrypt hash" an already hashed password.
I can think of two dirty fixes, the dirtiest is to create a secondary login function that avoids hashing the password, the still dirty one is to add a parameter to login() that specifies if the password is hashed or not and the script can "if" it accordingly.
Is there a better way?
public function login($email, $password, $remember = false) {
global $bcrypt; // Again make get the bcrypt variable, which is defined in init.php, which is included in login.php where this function is called
$query = $this->db->prepare("SELECT password, id, email, username, accountlevel FROM users WHERE email = ?");
$query->bindValue(1, $email);
try{
$query->execute();
$data = $query->fetch();
$stored_password = $data['password']; // stored hashed password
$id = $data['id']; // id of the user to be returned if the password is verified, below.
$email = $data['email']; //Stored User email.
$username = $data{'username'}; //Username.
$accountlevel = $data['accountlevel'];
if($bcrypt->verify($password, $stored_password) === true){ // using the verify method to compare the password with the stored hashed password.
// Check if user wants account to be saved in cookie
if($remember)
{
// Generate new auth key for each log in (so old auth key can not be used multiple times in case of cookie hijacking).
$cookie_auth = $bcrypt->randString(10) . $email;
$auth_key = $bcrypt->genHash($cookie_auth);;
$auth_query = $this->db->prepare("UPDATE users SET auth_key = ? WHERE id = ?");
$auth_query->bindValue(1, $auth_key);
$auth_query->bindValue(2, $id);
try{
$auth_query->execute();
setcookie("auth_key", $auth_key, time() + 60 * 60 * 24 * 7, "/", "touringlegends.com", false, true);
}catch(PDOException $e){
die($e->getMessage());
}
}
session_regenerate_id(true);
$session_id = $id;
$session_username = $username;
$session_level = $accountlevel;
$_SESSION['user_id'] = $session_id;
$_SESSION['user_level'] = $session_level;
$_SESSION['user_name'] = $session_username;
$_SESSION['user_lastactive'] = time();
return true; // returning true.
}else{
return false;
}
}catch(PDOException $e){
die($e->getMessage());
}
}
public function initiate()
{
global $general;
$logged_in = false;
if(isset($_SESSION['user_name']))
{
$logged_in = true;
}
// Check that cookie is set
if(isset($_COOKIE['auth_key']))
{
$auth_key = $general->safe_var($_COOKIE['auth_key']);
if($logged_in === false)
{
// Select user from database where auth key matches (auth keys are unique)
$auth_key_query = $this->db->prepare("SELECT username, password FROM users WHERE auth_key = ? LIMIT 1");
$auth_key_query->bindValue(1, $auth_key);
try{
$auth_key_query->execute();
$data = $auth_key_query->fetch();
if($auth_key_query === false)
{
// If auth key does not belong to a user delete the cookie
setcookie("auth_key", "", time() - 3600);
}
else
{
// Go ahead and log in
$this->login($data['username'], $data['password'], true);
}
}catch(PDOException $e){
die($e->getMessage());
}
}
else
{
setcookie("auth_key", "", time() - 3600);
}
}
}
Related
I want to be able to connect to my database and have my function search the database for the logged in user and set a cookie, using the users username.
I want to do this using PHP.
I want to do this so that I can call the username whenever I want to display it.
I am very new at php so please bear with me.
Even if there is a link to a post about this, that would be helpful
Edit (This is what I tried so far):
function storeUsername{
$sql = "SELECT username, id FROM users WHERE email = '".escape($email)."' AND active = 1";
$result = query($sql);
if(row_count($result) == 1) {
$row = fetch_array($result);
$username = $row['username'];
{
setcookie('username', $username, time() + 500000);
}
$_SESSION['username'] = $username;
return true;
} else {
return false;
}
return true;
} else {
return false;
}
}
Boy am I confused. So I had a working login system when I was working a different database name. I changed over all the names and files to fit the new sql database. Everything seems to work except that my login check says that I am not logged in. It seems to be a problem that the session is not set.
I first have a login page that sends you through this page successfully (I end up at member_home):
<?php
include_once './../functions.php';
include_once './../dbConnect.php';
sec_session_start(); // custom way of starting a PHP session.
if (isset($_POST['user'], $_POST['p'])) {
$user = $_POST['user'];
$password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
if (strlen($password) != 128) {
// The hashed pwd should be 128 characters long.
// If it's not, something really odd has happened
echo 'hashed password length wrong';
}
//$password = $_POST['p']; // The hashed password.
if (login($user, $password, $dbConnection) == true) {
// Login success
$con = #require './../dbConnect.php';
// Check connection
if (mysqli_connect_errno($con))
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
else {
$result = mysqli_query($dbConnection,"SELECT * FROM members WHERE user = '". $_SESSION['user'] ."'");
$row = mysqli_fetch_array($result);
$passkey1 = $row['confirmcode'];
header('Location: http://www.examplewebsite.com/member_home.php?passkey='.$passkey1);
}
}
else {
// Login failed
header('Location: ../login_page.php?error=1');
echo 'login failed';
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
On my member home page it requires that the user is logged in via this function login_check:
function login_check($dbConnection) {
// Check if all session variables are set
//this session is not being set....
if (isset($_SESSION['user_id'],
$_SESSION['user'],
$_SESSION['login_string'])) {
header('Location: http://www.examplewebsite.com/index.php');
$user_id = $_SESSION['user_id'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['user'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if ($stmt = $dbConnection->prepare("SELECT password
FROM members
WHERE id = ? LIMIT 1")) {
// Bind "$user_id" to parameter.
$stmt->bind_param('i', $user_id);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if ($stmt->num_rows == 1) {
//we are not making it to this if statement
// If the user exists get variables from result.
$stmt->bind_result($password);
$stmt->fetch();
$login_check = hash('sha512', $password . $user_browser);
if ($login_check == $login_string) {
// Logged In!!!!
return true;
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
}
I know I don't pass the first if statement because I was not relocated via the header check.
Here is the sec_session_start() function and I've tested and seen that it does indeed go through this entire function:
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
So for some reason, my loginCheck function always fails and I can't figure out why the session is not set! Is something wrong here or would it be elsewhere? Can someone lead me in a direction to check for other errors?
The problem only started occurring after switching all the databasenames and related, but I can't find anywhere where the text is different.
Here is my login variable, responsible for binding everything:
function login($user, $password, $dbConnection) {
global $errors;
$errors = 1;
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $dbConnection->prepare("SELECT ID, user, paid, password, salt
FROM members WHERE user = ? LIMIT 1")) {
$stmt->bind_param('s', $user); // Bind "$user" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $user, $paid, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
$errors= 2;
if ($stmt->num_rows > 0) {
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$user = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$user);
$_SESSION['user'] = $user;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
$errors=3;
return true;
} else {
return false;
}
}
else {
// No user exists.
return false;
}
}
}
I actually CAN'T get the $errors variable to post in member_home neither.
I mean again, the problem seems to be that after I send the user to member_home, there is no longer a defined $_SESSION['user']. It just seems to all disappear after the header(location:member_home)
I committed a HUGE sin and did some copy and paste programming. I know, I know. BAD programmer! Unfortunately, I am not well versed in PHP and MySQL (although I have enrolled in several Udemy classes to remedy that), and I needed a log in system right away. So, I used the tut found here. Now, it works great, but I need the page to redirect to a user specific page on log in, instead of to a single static page as found in the tut.
I added a column to my database at the end called page and populated it with the full URL I want for each user, and tried to change the code to get the value of the page column along with several other solutions from my little knowledge of PHP and things I found online and on SO, but I cannot seem to get the value from the database column "page" for the redirect. It just shows a blank page.
Here is the code that seems to be relevant:
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start();
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p'];
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ../selection.php');
exit();
} else {
// Login failed
header('Location: ../error.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
and (I am not actually sure if this is relevant, but I didn't want anyone to have to go to the tutorial if I could prevent it)
<?php
include_once 'psl-config.php';
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
function checkbrute($user_id, $mysqli) {
// Get timestamp of current time
$now = time();
// All login attempts are counted from the past 2 hours.
$valid_attempts = $now - (2 * 60 * 60);
if ($stmt = $mysqli->prepare("SELECT time
FROM login_attempts
WHERE user_id = ?
AND time > '$valid_attempts'")) {
$stmt->bind_param('i', $user_id);
// Execute the prepared query.
$stmt->execute();
$stmt->store_result();
// If there have been more than 5 failed logins
if ($stmt->num_rows > 5) {
return true;
} else {
return false;
}
}
}
function login_check($mysqli) {
// Check if all session variables are set
if (isset($_SESSION['user_id'],
$_SESSION['username'],
$_SESSION['login_string'])) {
$user_id = $_SESSION['user_id'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['username'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if ($stmt = $mysqli->prepare("SELECT password
FROM members
WHERE id = ? LIMIT 1")) {
// Bind "$user_id" to parameter.
$stmt->bind_param('i', $user_id);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if ($stmt->num_rows == 1) {
// If the user exists get variables from result.
$stmt->bind_result($password);
$stmt->fetch();
$login_check = hash('sha512', $password . $user_browser);
if ($login_check == $login_string) {
// Logged In!!!!
return true;
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
}
function esc_url($url) {
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%#$\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = (string) $url;
$count = 1;
while ($count) {
$url = str_replace($strip, '', $url, $count);
}
$url = str_replace(';//', '://', $url);
$url = htmlentities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
if ($url[0] !== '/') {
// We're only interested in relative links from $_SERVER['PHP_SELF']
return '';
} else {
return $url;
}
}
I looked at the PHP.net docs, and have tried several solutions I found online, but nothing I have found seems to be working. Do I need to create a function for this? I know I need a better fundamental knowledge of PHP and MySQL for sure.
Let me know if you need more info on this.
Thanks!
Change your login function to also get the page-column (SELECT id, ..., page FROM ...)
Next, change the bind_result: add a parameter after $salt: ..., $salt, $page
Change the return true to return $page;
Now back in your script that calls the login function, change
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ../selection.php');
to
$page = login($email, $password, $mysqli);
if ($page !== false) {
// Login success
header('Location: '. $page);
Make sure that your page-column contains valid values at all times though.
I have a website that has a membership system. When users log in, I validate username/password from the database and start a session, $_SESSION['userid'] that contains their id (I have not implemented anything using cookies yet)
I have a problem, the system works fine most of the times, but some users have reported that they eventually find themselves logged in to some other random users account. That probably means that $_SESSION['userid'] changes without any reason to something else and I'm pretty sure I'm not doing anything to change it.
Any ideas why this could be happening ?
edit : Summary of what I am doing
This method start the session
function startSession($id){
$_SESSION['logged_in'] = 1;
$_SESSION['userid'] = $id;
}
This method checks login
function isLoggedIn(){
return isset($_SESSION['logged_in']) && isset($_SESSION['userid']) && $_SESSION['userid']!=" " && $_SESSION['logged_in']==1;
}
This is the logout method
function logout(){
$_SESSION['logged_in'] = 0;
$_SESSION['userid'] = 0;
unset($_SESSION['logged_in']);
unset($_SESSION['userid']);
session_destroy();
if (!isLoggedIn()){ return "S3"; }
else { return "E3"; }
}
And this is how I check if the user is logged in most places
if (isLoggedIn()){ $profileid = $_SESSION['userid']; }
This is the login function, this is where I call startSession
function login($username, $password){
$pdo = newPDO();
$username = sanitize_string($username);
$password = sha1(sanitize_string($password));
$query = $pdo->prepare("SELECT id FROM ".TABLE_PROFILE." WHERE nick=:nick AND pass=:pass LIMIT 1");
$query->execute(array(':nick'=>$username, ':pass'=>$password));
$result = $query->fetch(PDO::FETCH_ASSOC);
if (count($result['id']) == 1){
startSession($result['id']);
loginExecution();
return "S1";
}
else{ return "E1"; }
}
The problem is in your login function
Your script is not checking username and password for any data, and if the username and password is empty or incorrect, your client will gets the firs available id from database.
function login($username, $password){
$pdo = newPDO();
$username = sanitize_string($username);
$password = sanitize_string($password);
// Check data for existing
if (empty($username)) throw new Exeption('Empty username');
if (empty($password)) throw new Exeption('Empty password');
$password = sha1($password);
$query = $pdo->prepare("SELECT id FROM ".TABLE_PROFILE." WHERE nick=:nick AND pass=:pass LIMIT 1");
$query->execute(array(':nick'=>$username, ':pass'=>$password));
$result = $query->fetch(PDO::FETCH_ASSOC);
if (count($result['id']) == 1){
startSession($result['id']);
loginExecution();
return "S1";
}
else{ return "E1"; }
}
P.s. Always check incoming data, before SQL queries
Realistically the only thing I can think of that would cause this is something setting $_SESSION['userid'] to another members id. Assuming this is what you are using to check which members information to show. Are you perhaps doing something if the $_SESSION['userid'] variable is not set that may end up setting $_SESSION['userid'] incorrectly? i.e. if their php session is reset.
I am currently developing a login script for my application. The login will use SSL and all required resources will be served through this. It is not protecting anything like a bank however I would like to know what is right and wrong especially for learning purposes
I would love some feedback on my class that I have developed. I have been reading various sources on the net and a lot seems to be contradictory.
Areas I feel need improvement:
Use something stronger than sha1 for storing passwords.
Maintaining login - currently it times out after 20 minutes.
Without further ado here is the code:
class User extends Model{
private $logLocation;
private $loginLog;
public function __construct(){
$this->logLocation = 'system/logs/';
$this->loginLog = "logins";
}
/**
*
* Add User
* #param array $data An array of data that will get added to User table.
*/
public function add($data){
$db = Database::getInstance();
$salt = substr(md5(uniqid(rand(), true)),0,3);
$query = 'INSERT INTO user( user_id, user_username, user_password, user_salt, user_forename, user_lastname, user_email, user_attempts)
VALUES( :user_id, :user_username, sha1(:user_password), :user_salt, :user_forename, :user_lastname, :user_email, 0)';
$args = array(
':user_id' => $data['user_id'],
':user_username' => $data['user_username'],
':user_password' => $data['user_password'].$salt,
':user_salt' => $salt,
':user_forename' => $data['user_forename'],
':user_lastname' => $data['user_lastname'],
':user_email' => $data['user_email']);
$db->query($query, $args);
SessionRegistry::instance()->addFeedback('user Saved Successfully');
return true;
}
public function getUserId($username){
$db = Database::getInstance();
//Check to see if the username exists
$query = "SELECT user_id FROM user WHERE user_username = :username LIMIT 1";
$results = $db->query($query, array(':username' => $username));
return $results[0]['user_id'];
}
public function getUsername($userId){
$db = Database::getInstance();
//Check to see if the username exists
$query = "SELECT user_username FROM user WHERE user_username = :username LIMIT 1";
$results = $db->query($query, array(':username' => $username));
return $results[0]['user_username'];
}
/**
*
* Checks login details against that in the database
* #param string $username
* #param string $password
*/
public function checkLogin($username, $password){
$db = Database::getInstance();
//Check to see if the username exists
$query = "SELECT user_salt, user_password, user_attempts FROM user WHERE user_username = :username LIMIT 1";
$results = $db->query($query, array(':username' => $username));
//No results return false
if(count($results) < 1){
$this->logLoginAttempt($username, 'Incorrect Username');
return false;
}
//Check to see if the user is blocked
if((int)$results[0]['user_attempts'] >= 3){
$this->logLoginAttempt($username, 'Blocked User Login');
return false;
}
//Check to see if the passwords match
if(sha1($password.$results[0]['user_salt']) == $results[0]['user_password']){
$this->setLogin($username);
return true;
}
else{
//Incorrect Password
$this->logLoginAttempt($username, 'Incorrect Password');
$this->failedLoginIncrement($username);
return false;
}
}
/**
*
* Increments the failed login attempt for a user.
* 3 Strikes and they get locked out.
* #param string $username
*/
private function failedLoginIncrement($username){
$db = Database::getInstance();
//Update the IP address of the user from where they last logged in
$query = 'UPDATE user SET user_attempts = user_attempts + 1 WHERE user_username = :username';
$db->query($query, array(':username' => $username));
//Check to see if the user has reached 3 strikes if so block them.
$query = 'SELECT user_attempts FROM user WHERE user_username = :username LIMIT 1';
$results = $db->query($query, array(':username' => $username));
if($results[0]['user_attempts'] >= 3){
//We need to block the user
$query = 'UPDATE user SET user_blocked = 1 WHERE user_username = :username';
$db->query($query, array(':username' => $username));
}
return true;
}
/**
*
* Logs a failed login attempt to a log file so these can be monitored
* #param string $username
* #param string $reason
*/
private function logLoginAttempt($username, $reason){
$fh = fopen($this->logLocation.$this->loginLog, 'a+') or die("can't open file");
$logLine = date('d/m/Y h:i') . ' Login Attempt: ' . $username . ' Failure Reason: ' . $reason . " IP: " . $_SERVER['REMOTE_ADDR'] . "\n";
fwrite($fh, $logLine);
fclose($fh);
return true;
}
/**
*
* Sets the login data in the session. Also logs IP and resets the failed attempts.
* #param string $username
*/
private function setLogin($username){
$db = Database::getInstance();
//Update the IP address of the user from where they last logged in
$query = 'UPDATE user SET user_ip = :ip, user_attempts = 0 WHERE user_username = :username';
$db->query($query, array(':username' => $username, ':ip' => $_SERVER['REMOTE_ADDR']));
ini_set("session.use_only_cookies", TRUE); //Forces the session to be stored only in cookies and not passed over a URI.
ini_set("session.use_trans_sid", FALSE); //Stop leaking session IDs onto the URI before browser can check to see if cookies are enabled.
ini_set("session.cookie_lifetime", 1200); //Time out after 20mins
//Now add the session vars to set the user to logged in.
session_start();
session_regenerate_id(true); //Regenerate the session Id deleting old session files.
$_SESSION['valid'] = 1;
$_SESSION['userid'] = sha1($this->getUserId($_POST['username'] . "SALTHERE"));
}
/**
*
* Checks to see if a user is currently logged in.
*/
public function loggedIn(){
if($_SESSION['valid']){
return true;
}
else{
return false;
}
}
/**
*
* Logs a current user out by destroying the session
*/
public function logout(){
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
}
}
I then use this class like so:
require_once('User.php');
$user = new User();
$loggedIn = $user->checkLogin($_POST['username'], $_POST['password']);
if($loggedIn){
//redirect to member area
}
else{
//show login screen
}
Then on a page where I need to check if a user is logged in
require_once('User.php');
$user = new User();
if(!$user->loggedIn()){
//redirect to login page
}
I would love to hear your thoughts comments good or bad plus any other ideas I can use to improve my login script.
Thanks in advance for your time
Matt
I suggest separating the session management from the database access. Put them somehow into two different classes.