What's the best way to secure a web site ( user name/password )

I have a web site that had users table and 'login' page sends the user input to "authentication page" which checks if it's the right user and authenticates the user. Now one problem that I might be facing is, I am passing user info through the url (query string), but, how if someone changes the url, they can get into other users's data? How should I secure this? any ideas?
One soulution that I have is, passing the user info aftre hasing it (hash()) so that it's not that easy to hack/guess what info is being passed.
Just wondering if someone has a better way of doing this, any example, sample code will be helpful.
thanks much.
awarraicAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

steezyCommented:
instead of using $_REQUEST or $_GET, change your HTML form to method="post" and use the $_POST superglobal array.

POST does not add variables to the query string.

http://www.w3schools.com/php/php_post.asp
0
awarraicAuthor Commented:
I am using form just to sent the info to "authentication" page and then I am just redirecting (header) along with the query string which shows up in the URL. So, I am not using form in the "authentication" page. If that will be form, you are right, 'll definately use Post.
0
steezyCommented:
So you are passing user data FROM the authentication page TO the page that people go to after they are authenticated?

If this is the case, use sessions. After the credentials are checked, start a session using session_start();

You must have session_start(); at the beginning of every logged in user page.

After the session is created, you can set session variables like this: $_SESSION['name'] = "joe"; $_SESSION['userlevel'] = "3";

and so on... A cookie is set on the browser called PHPSESSIONID that only contains a unique number that refers to a session stored on the server.

On your logout page, you should use session_destroy();
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
maflo13grCommented:
Even if you use post or get, you are still passing them unencrypted to the server.
What you could it is use some client side javascript and encrypt the username/pass so as not to pass it unecrypted to the http post/get. This will make things more difficult to hijack. Still not being the optimum solution.
Moreover you could sanitize and validate the passed data on the server side so as not to allow any sql injection taking place that i guess you are afraid off.
Finally for avoiding a bot script to repeatedly call your page trying to inject it you can add a captcha script to avoid bots.
You could also add a timed delay, and disable for instance 5 wrong tries of logging in puting a 1 minute delay. This will also prohibit any hijackers from contuing to try
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.