login.php
[php]if (($_POST[‘username’] == $row[‘username’]) && (pwhash($_POST[‘password’]) == $row[‘password’]))
{
if ($row[‘account_status’] == ‘1’)
{
$_SESSION[‘auth’] = “7469a286259799e5b37e5db9296f00b3”;
$_SESSION[‘LoggedUser’] = $row[‘username’];
$_SESSION[‘expire_time’] = time()+10*60;
date_default_timezone_set('US/Eastern');
$last_login= date('m/d/Y');
mysql_query("UPDATE `debtor_register_users` SET `last_login`='$last_login' WHERE `username`='{$row['username']}' LIMIT 1") or die(mysql_error());
if (isset($_SESSION['previous_page']))
{
$redirect = $_SESSION['previous_page'];
unset($_SESSION['previous_page']);
header("location: $redirect");
}else
{
header("location: index.php");
}
}else
{
$msg = "<font face=\"Arial\" size=\"2\" color=\"red\">Account is not activated. Check your Email.</font>";
}
}else
{
$msg = "<font face=\"Arial\" size=\"2\" color=\"red\">Wrong Information Provided.</font>";
}
[/php]
header.php
[php]if ((@$_SESSION[‘auth’] !== “7469a286259799e5b37e5db9296f00b3”) && (!isset($_SESSION[‘auth’])))
{
//another layer of security goes here
// check if password match from database
//user is not logged in, redirect to login page
$_SESSION['previous_page'] = $_SERVER['SCRIPT_NAME'];
header("Location: login.php");
exit();
}else
{
if ($_SESSION[‘expire_time’] < time())
{
//user is logged in but has been inactive for 10 mins or more
$_SESSION[‘previous_page’] = $_SERVER[‘SCRIPT_NAME’];
header(“Location: login.php”);
} else
{
//update active time
$_SESSION[‘expire_time’] = time()+10*60;
}
}[/php]
Is this really secure for protecting my online website where I have really secret stuff?
any idea are welcome, please comment and stay your opinion im pretty sure i’m missing security measure for this login.