Hello PHP experts, I am hoping that someone can shed some light on the subject of login security. I am a beginner and i do not know enough about backend programming. Before i babble, let me get to the point:
how is a check for a session variable supposed to be secure? so we simply match a username and password with a database record. I feel like hackers will have no problem getting by a challenge as simple as if (isset($_SESSION[‘username’])).
is it possible to use something like fiddler to set a username to anything, then gain access? i feel very uncomfortable with this method, yet i do not know what i can do to be certain that a user is authentic.
should we assign a secret pin number in a session variable as well? should we consistently check the database for a correct username? should we also verify that any username session variable has also submitted a valid password? should we also lock the session to the domain?
since we cannot see the source code for big corporations, i wonder if, say Microsoft, is challenging a login with a simple if (isset($_SESSION[‘username’]))?
how can this be secure? anyone have suggestions for a better authentication method?