1

What is the best way to make PHP login really secure?

I'am now using just SESSION["logged"] = "true"; after I check password in SHA256 with salt and whole time, when logged, I am just checking this SESSION.

Is more secure to save some hash into database + session and after checking password check hash too?

  • Use the two password functions provided by PHP ([password_hash](http://php.net/manual/en/function.password-hash.php), [password_verify](http://php.net/manual/en/function.password-verify.php)) Is there a more secure way? Sure, use OAuth2 so you're not managing sensitive passwords. – Dave Chen Oct 28 '17 at 16:28
  • You could track the IP, and require re-login if the IP changes. But Ip addresses can be spoofed. That said, it can be good to prevent account sharing, multiple users on the same account at the same time etc.. But that really depends on your application. – ArtisticPhoenix Oct 28 '17 at 16:31
  • I do not speak primary about hashing system, but about way how to tell server when user is logged. If there is more secure way, than just SESSION. I heard that SESSION is not very secure in this plain way –  Oct 28 '17 at 16:32
  • A really secure way is to not make it yourself. Instead use a framework like Laravel which handels all this for you. – SuperDJ Oct 28 '17 at 16:37
  • @chris85 Oh thanks this is what I needed but not found :D You can place it as answer :) –  Oct 28 '17 at 16:37
  • 1
    @D3admau5 I've marked as a dup, not my work so I don't want to copy it. If you find answers on the other threads useful please upvote them. This helps the community. – chris85 Oct 28 '17 at 16:41

0 Answers0