I have a basic site I'm using to test my programming method and I want to get a semi-decent secure way of keeping people logged in. Here is the code for register.php.
$username = $_POST["username"]; //username stored plaintext
$passhashed = crypt($_POST["password"], $username); //hashed password salted with username
$rnum = rand(1000,9999); //assign random 4-digit number
$authkey = crypt($rnum, $passhashed); //unique authentication key per user, hashed and salted with hashed password
//insert into SQL
When they log-in, $username, $passhashed, and $authkey is stored in $_SESSION data.
At the top of every single page I have the following snippet of code:
if(isset($_SESSION["username"])
&& isset($_SESSION["password"])
&& isset($_SESSION["authkey"])) {
$verifyuser = $db->prepare("
SELECT *
FROM users
WHERE username = :user
AND password = :password
AND authkey = :authkey
");
$verifyuser->execute(array(
':user' => $_SESSION["username"],
':password' => $_SESSION["password"],
':authkey' => $_SESSION["authkey"]));
if($verifyuser->rowCount() != 1) {
unset($_SESSION["username"]);
unset($_SESSION["password"]);
unset($_SESSION["authkey"]);
}
}
Basically on any given page, it performs a check that each piece store in $_SESSION clears with SQL, and if not (if any of the checks fail, will give a rowCount of not 1), it drops the session.
I'll be the first to admit I'm not too familiar with contemporary security measures to evade session hijacking (in fact, I only have a loose command of how it is even done). That being said, how is this for a beginner programmer? What can I do different to make it more secure? Assign a second authentication key at login, temporarily store it in SQL and make the same checks (new key per login)?
