Hello,
Usually, I am using a login system with sessions (writing a cookie). It works fine and is secure.
For a special project, I have to use a login system running with clients who don't accept cookies.
Here is the way I want to do it. I would like to have your advice about its security.
I check into my MySQL database if the entered login-password couple exists. If so, I generate a random number that I write in the DB with the member record. I also write a timeout. So, I propagate the random number from page to page.
In a secure page, I first check if the random number exists in my DB and get the memberid if it's the case (I also check if the timeout is ok). Then, I update the timeout.
Is it the right way to do or do you know something better ? Is it secure ?
Many thanks for helping.
Vincent.
