0

I am creating an admin panel to log breakdowns, save tasks, log errors and much more. I currently have the following piece of code at the top of the screen which checks if a user is logged in, if not they are sent to the login / create a user page.

<?php
session_start();

        include 'login/config.php';

        if(!isset($_SESSION['username'])){
            header('location:login/index.php');
            exit();
        }


?>

I feel that there may be better ways of doing this and also more secure ways. A username and password are required to login and get to the initial dashboard and user status levels & permissions will be added later on.

QUESTIONS::

How can I make the system more secure by improving the code or adding additional security features?

AND

How can I log to my SQL database when a user logs in and out of the admin system?

nlangerdev
  • 122
  • 15

2 Answers2

0

As for security, I'm no expert there, so I'll rather wait and see what the other people tell you, since it's a very interesting topic. But I'll give you my thoughts anyway.

First of all, you should take care of SQL injections on your login, always validate the input data from the users, specially on CRUD operations. I think protecting your pages with sessions should be good enough, as long as the login itself is secure, for example you could implement a system that would block the IP after few failed attempts to login etc...

About the second part, you can create a table i.e. userlog which would contain the fields you want, user_id, action(login/logout), time. Then everytime the user does login/logout, you just insert a new record to the table. That piece of code would be located where you set/unset the session. Not sure about the efficiency of this method, but this is a way to implement what you are saying.

ruuux93
  • 122
  • 2
  • 3
  • 9
  • thankyou for the feedback, I have a table in the database called 'eventlogs' and there are a lot of components within the system that will require logging, however the main one is the logging in and out initially, the fields are event name, event user, event category, and using the current timestamp feature it records the time of the log too – nlangerdev Apr 15 '15 at 12:25
  • Would you by any chance know of a way to change my code above so that if they do not have a required user level, for example Manager then they can't access the page? I have a field in the database with permission levels but calling it for use is proving difficult. – nlangerdev Apr 15 '15 at 12:38
  • You are storing the `username` on a session, so if that field is `unique` in your database, you could build a query and fetch the user group of that user and then check it to access or not the page, same way you are checking that the session is set. You could always store the `user_id` instead of the username, that makes more sense to me. Or you could also store the user group on a session, but it's best practice to keep the session data low. Let me know if I was clear enough! – ruuux93 Apr 15 '15 at 15:02
  • Also, for security reasons you should *never* log login attempts to non-existent users. At least if you have some sort of interactive login. That non-existent user could be a password, and the next user who logs in could be the one that password belongs to. – Bjorn Munch Apr 15 '15 at 21:10
0

you can create table like login_history which have field loginTime and logoutTime as per system time. When user login,loginTime inserted and when he logout record updated with logoutTime.

Krishna Chandegara
  • 31
  • 4