I have a simple login script that basically authenticates off the username and password from the db. Nothing too difficult.
I'm trying to improve my login scripts and session control, and would like some feedback.
Below is the code for login.php
<?php
// we must never forget to start the session
session_start();
$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
require('includes/configure.php');
$userId = $_POST['txtUserId'];
$password = $_POST['txtPassword'];
// check if the user id and password combination exist in database
$sql = "SELECT user_id
FROM administrators
WHERE user_id = '$userId'
AND user_password = MD5('$password')";
$result = mysql_query($sql) or die('Query failed. ' . mysql_error());
if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the sessions
$_SESSION['db_is_logged_in'] = true;
$_SESSION['user'] = $userId;
// after login we move to the main page
header('Location: index.php');
exit;
} else {
$errorMessage = 'Sorry, wrong user id / password';
}
mysql_close($conn);
}
?>
And when we make it to index.php I have this in the top, to check if the session exists. If not, then it sends the user back to login.php
<?php
session_start();
header("Cache-control: private");
if (!isset($_SESSION['db_is_logged_in']) || $_SESSION['db_is_logged_in'] !== true) {
// not logged in, move to login page
header('Location: login.php');
exit;
}
?>
Looking at this code, is there anything that anyone would change, and why?
Also, is there a way to control session_start()? I notice that when I don't stay active I get logged out. How can I change the time for timing out? I'd like to be able to specify that in the db and change it at will for any site I create too. Is this possible?
thanks!
