Evolution16
New Member
I've been developing a PHP-based CMS for use on my robotics team's website. Sure, there's plenty of other platforms out there, but what's the fun in that?In all seriousness, though, we do receive extra points for being able to say that we did more than make a template for Drupal or WP. This is a bit unrelated, but I'd like to be able to release the CMS as FOSS one day, but it will definitely have to mature and be more secure. But I digress.I've reached the point in developing this system where I need a login system. This has caused more frustration than I expected. I can be meticulous when it comes to security, and this isn't much of an exception. The problem is, I know how to take care of database security (trust no user input, store passwords as a hash with a random salt, etc), but I lack the knowledge to make a good client-server system. A few questions in this regard: How secure would it be to use session variables? How would one implement session variables correctly in this regard? Should the session cookie be regenerated at every pageview? You give up much security when using cookies to keep the user logged in for any amount of time, but what are the best practices for implementing this kind of system?A good tutorial on this subject would greatly help, also.Thanks for your time.