Please Critique my PHP authentication efforts

Question

After posting this a while back, I decided to create my own Registration / Authentication capability in PHP. I\'d love anyone to point out the flaws / opportunities for improve

Answer 1

1. Why 6 characters? Make it bigger and require a minimum of 6 (or more) characters. There is no excuse for limiting the number of characters in the password to 6.

2. Put more than the user name in the session. But to do this safely, you must change the salt every login:

A- From the login page: Take name and password verify with existing salt. If valid update the user table salt and password with a new salt (you have the password from the user so you can md5 it and the salt again). Write the md5 of the password to the session. B- From any other page: compare the user and hashed password against the database. If they don't match, redirect to the login page.

The flaw with this idea is the user cannot maintain logins on multiple machines/browsers.

Your registration system needs work to. How do you know the email address is valid? How do you know the user registering owns the email address? You must send email to the address containing a link back to your site which must be clicked before you allow the account access to anything. Otherwise someone can sign up under someone else's email address make fraudulent claims as that person or just cause your site to spam that person getting your site shut down.

You also might want to investigate CAPTCHA to limit scripted registrations.