Quote:
***** SET/CHANGE PASSWORD *****
$salt = md5(time());
$salted_password = hash('sha256', $salt . $_POST['password']); // Hash the password
Insert $salt and $salted_password into the database user table
***** LOGIN *****
Pull salt from database
Prepend salt to submitted password, generate SHA256 hash to compare against password from db
Attempt to pull user record from database using username submitted and password hash just generated:
"SELECT * FROM usertable WHERE user = '...' and password = '...' LIMIT 1" (username and password values are escaped)
If row count is less than one, present error message and close page.
Otherwise, set cookies, user is logged in.
Am I on the right track here? From what I've read, a sha256 hash with a unique salt of 32 characters would be pretty robust, but I'd like to have someone else look at this to tell me if there's some glaring, or even subtle, logical error here.
