Can Anyone bypass my Login page if they can bypass it how they well do it
<?php
session_start();
if(isset($_SESSION['login']) == "Owner" or isset($_SESSION['login']) == "admin"){
echo 'login In';
}
?>
Can Anyone bypass my Login page if they can bypass it how they well do it
<?php
session_start();
if(isset($_SESSION['login']) == "Owner" or isset($_SESSION['login']) == "admin"){
echo 'login In';
}
?>
Storing the login status in the session variable is certainly a decently secure thing to do, however, it's not sufficient all by itself. If someone was able to access the session tables, (which is apparently doable in a shared hosting environment) and find the session ID of someone who is logged in, they could hijack the session. So more security is needed. (Google "Session Hijacking" for more information on what it is and how it's done)
I'm no security expert, but a few things I've done include recording their IP address and Client data, and checking those on each page load. If they're suddenly coming from a different IP address or using a different browser, then I log them out right away. However, as @Barmar noted, mobile devices can change IP addresses during a session, so this is probably not a good practice.
It would also be important to be using a secure connection (https) over TLS. If not, a man-in-the-middle could simply watch the packets going back and forth, pick up the username and password, and log in for themselves.