best authentication method PHP5

[[email protected]]

Earlier i would take username and password, match with db and on success redirect

Code:

session_register("myusername");

On every page that is viewed i would include a file that checks if the session is registered or not.

Now that session_register is deprecated, i did try to google alot to see what would be the best way to authenticate. With the above method i always noticed lots of hacking, session hijacking happening.

WHAT IS THE BEST AND MOST SECURED AND EFFICIENT WAY TO AUTHENTICATE. IS THERE AN OBJECT ORIENTED WAY OF ACCOMPLISHING THIS?

thank you

[PeejAvery]

Always use session_name(), not session_register().

[[email protected]]

Always use session_name(), not session_register().

should i provide the name?

Also what should i check for in other pages to make sure un authenticated users donot access those pages?

[PeejAvery]

Always provide a name...unless you want session stealing and poor security.

Upon logging in, save the current user to a session variable named user. Then check for that session variable at the beginning of every page.

[[email protected]]

Always provide a name...unless you want session stealing and poor security.

Upon logging in, save the current user to a session variable named user. Then check for that session variable at the beginning of every page.

would the below be rite

Code:

mysql query results in a match.

$user = data['username'];

$_SESSION['user'] = $user;

session_name($user);

AND ON EVERY PAGE CHECK BELOW

Code:

if(isset(session_name($_SESSION['user'])))
//good
else
//redirect to index.php

Please correct me if its not the most efficient way.

[PeejAvery]

It works...but instead of putting the code at the top of every page...create an authentication.php file and require it at the top of every page.

[[email protected]]

It works...but instead of putting the code at the top of every page...create an authentication.php file and require it at the top of every page.

yea i know it works....... yea i will include it into a file but is this the best way ? i wish to know if there is a better way i can accomplish this.

[PeejAvery]

Yes. An required header file is the only way to assure security across all the pages.

[[email protected]]

Yes. An required header file is the only way to assure security across all the pages.

wat do you mean by a required header file is the only way to assure security?

[PeejAvery]

If you don't require a header file at the top...then how do you expect to restrict it's access? Other than .htaccess...but that excludes any database interaction.

[[email protected]]

If you don't require a header file at the top...then how do you expect to restrict it's access? Other than .htaccess...but that excludes any database interaction.

gotcha... would session_destroy be the right way on a logout ?

[PeejAvery]

Always.

[cverhoeven]

It may be interesting to keep your sessions in a database as well. On a shared server this may resolve security issues with other websites hosted on the same box.