I have a classifieds website, and I am about to create a members login section of the site.
I don't need anything advanced, just secure!
This is what I need in terms of functionality:
- Website beeing able to recognize members so they don't have to login again (remember me)
- Changing of their passwords and profiles
- Logout page which removes the "remember me" so that website doesn't recognize next visit as "logged in"
- Users beeing able to navigat while still logged in (kind of like the first functionality with "remember me" feature)
This is what I am thinking:
Create a MySql (I use MySql btw) table which contains Usernames, passwords etc.
Then create a "SESSION" in PHP and set a cookie to remember the user. This cookie will have something like this value in it:
md5(IP.username.secret_word)
which I compare on top of each page so that the user is in fact the same user.
Next I need a logout page, which I am thinking of just deleting this cookie and destroying the session. Should be enough?
As for the still logged in feature, I will use the same method as the first remember me, which is to check for the cookie.
Is there anything I need to think about before doing this?
Sql injection, hacks, security flaws?
This isn't a bank or something which needs alot of security, but I would feel much better knowing it isn't easy to hack it.
One thing I am not sure about is the Session cookie. Is it any different from a regular cookie? Is it this cookie I should set when I use the "remember" feature?
Also, another last thing: If say 100 users are logged in at the same time, it means 100 sessions are running, will this slow down the performance of the website? (guessing yes).
Correct me, give me advice and information on how it is best done?
Thanks