I have been looking at some articles about user authentication and I figured it would be safe to do the following:
- site uses sessions all over it
- have a login form which may set $_SESSION['logged_id'] = true if the username/password check matches
- the same login form sets $_SESSION['last_active'] = time()
- every pagevisit checks if this is not more than 15 minutes ago and sets $_SESSION['last_active'] = time()
- every page decides upon check of $_SESSION['logged_in'] if the user is logged in.
Is this indeed a secure method? I know that the cookie of the session ID can be spoofed, but it would only be valid for the next 15 minutes. Using multiple cookies wouldn't bring anything of extra security since those could be spoofed as easily too? Would anything be able to improve the security of my login script ? (except for SSL)
I intend to store my passwords md5-encrypted in my database.
I was thinking about sending my passwords, filled in in the form, md5-encrypted by JavaScript to my server (if I could find a javascript-class to do so). However, I figured that if somebody would be listening between the form and my server, they could as easily grap the md5encrypted password and the username and use that combination to fake a login too. What would be the difference between sending a plaintext password and an encrypted one? The password used on that login form is not used anywhere else ... Am I right about this one?
Is there anything else I can do ?
