Is this a decent simplistic PHP user login script?

brandonr

I'm creating a web app that requires a rather simplistic user management system that they can login to and do a few things. In the mySQL user db I have all the standard fields (for the user db) plus a unique ID field that's randomly generated whenever they register.

When they login I store two cookies on their system, one that's their user id and one that's their unique id. Before doing anything the system first makes sure they're logged in (checks that the cookies exist) and then it checks the unique id against the user id to make sure they match. If they don't it won't allow the action and delete their cookies.

Is this a good system or are there some glaring security holes in it? Of course I didn't want to base it right off the user id (since anyone can change that value in the cookie) and I figured this was a slightly better method. Ideas?

middleman666

why not just check it against your database?
and maybe add an encrypted password field?
look into using start session(); function, add it to the pages you want the user to be able to view and do a simple check to see weather the user has started a session, if they have, let them view the page, if not, send them to login.

jodie

I'd look at a session-based login for this project. Store their username as the primary key in the database, then, when they login, check the details. If it's matched OK, start a session, and store their username as a session variable.

i.e.
session_start()
$_SESSION['username'] = $user_name_from_db;

Every page that requires a login just needs to check for the existence of the session variable, if not, it redirects them to login.

i.e.
session_start()
if(isset($_SESSION['username'])){
// user logged-in, proceed
} else {
// user not logged-in, redirect
}