I'm building a website that's open to anyone for viewing and that only authorised users can modify, using the following pseudocode for handling logins.
Have I left any obvious holes?
login
- read username & password, check against database
- if they're correct
- create pseudo-random session ID
- store session ID on database
- return session ID in cookie
- cookie lasts 1 hour
- session ID on database lasts 1 hour (script for removal?)
- else user is not logged in, gets view privs only
checking login - to be done before any admin action
- read session from cookie
- if session exists on database, user is logged in, gets admin
privs
- else user is not logged in, gets view privs only
- try to delete cookie
logout
- delete database session
- try to delete cookie
just another cpan module author