Hello community, I’m fairly new to PHP, so any guidance is pretty much appreciated. Currently I’m trying to implement a login page. I started to think that identity authentication (email + pass) wasn’t good enough to prevent someone from accessing pages that require user to login (by directly accessing the script file). For example, adding posts, managing users, etc.
And as far as I’m concerned, this goes through my mind:
session_start();
class Token{
private $upper = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”;
private $lower = “abcdefghijklmnopqrstuvwxyz”;
private $num = “0123456789”;
private $alphaLen = 26;
private $numLen = 10;
private $key;
function __construct(){
for($i = 0; $i < 10; $i++){
$x = rand(0, 2);
switch($x){
case 0:
$r = rand(0, $this->alphaLen);
$this->key .= $this->upper{$r};
break;
case 1:
$r = rand(0, $this->alphaLen);
$this->key .= $this->lower{$r};
break;
case 2:
$r = rand(0, $this->numLen);
$this->key .= $this->numLen{$r};
}
}
}
function getKey(){
return $this->key;
}
}
$t = new Token();
$token = $t->getKey();
$_SESSION[‘auth’] = $token;
setcookie(‘token’, $token, 0);
//Below is code for other PHP script
session_start();
if(!isset($_COOKIE[‘token’]) && !isset($
echo ‘Hotlinking’;
} else if($_COOKIE[‘token’] != $
echo ‘Hotlinking’;
} else {
echo ‘good’
//script goes here
}
Is this acceptable in term of security? Or perhaps is there any better way to do so?