Please Critique my PHP authentication efforts

Question

After posting this a while back, I decided to create my own Registration / Authentication capability in PHP. I\'d love anyone to point out the flaws / opportunities for improve

Answer 1

My concern is could someone write to the session, and thus be able to access peoples pages if they know the username they signed up with? How would you go about preventing this?

I'm not sure what you mean. How would somebody "write to the session"? The session is [usually] a file stored on the server that the client cannot view or modify.

If you are concerned about session hijacking (aka fixation), then you need to enable SSL and disable session IDs in the URL string. (See php.ini's session.use_only_cookies)

4 - On every request, I use the username stored in the session to query the database and read the site name associated with this user. I then compare this to the site name in the url itself, and if they match I set a variable which is accessible to the rest or of the script (not a global variable, it's just readable by my controller which decides if a user can see a particular page) if the two site names don't match, the user is redirected back to login

This sounds like the biggest concern. What does the site name look like? How exactly are you matching it against the URL? With a regex?

Some more details on this aspect would be good, because if your access control is flawed then the quality of your authentication doesn't matter too much.