Hello there, I have a question about a login system for users on a website I am creating.
Firstly, I've decided to make my own, because alot of the ones that are out there right now are too complicated or bloated for what I need it to do. I'm looking at a massive posting website, this website would have alot of user interaction such as thumbs up/down posting and thread creation.
here is what I had in mind to create a login system...So, what I had in mind is to add a new column to my users database table and add a unique session ID, this could easily be created with the rand function to create a number from -1000000 to 10000000.
Once the user logs in, I would allocate a session variable to that user's account username. This number would be kept for the entire time he's logged on. There would also be a "keep me logged in" option to keep them logged in for a number of days or w/e. Anyways... so every time the user would post something, he would send that number out to check the validity of his user/session.
EX
user TEST1 logs in with password test123,
random number 1234551 was created and given back to user as a session variable
scenario 1
user creates a thread, sends a valid session id of 1234551. Thread is accepted and posted.
scenario 2
a hacker or error occurs and session variable 1234552 is sent, this is wrong so we redirect the user to the login page and ask for another login. If login is successful we reassign the session ID and post or w.e.
Having that said, would there be any conflicts or flaw in my logic? Permissions, exploits, etc? I'm fairly new to PHP coding, but this seems like a valid login system.
Please let me know(kindly) your thoughts.
Thanks in advance!
