I don't have the time to fill out a full reply at the moment (I'll reply fully later), but a few immediate notes.
Sessions either use cookies or embed themselves in the URL. That is to say, cookies are all you really have since session-ids-in-the-url are even more insecure. I'll cover a few things about using secure cookies when I get back.
crypt and MySQL's password() are both rather insecure, as is md5. Use PHP's SHA1 (or higher if you have the mcrypt/mhash extensions available). Make the MySQL row a varchar and add the hashed version of the password to the database. Then, when logging in, make sure that $pass_from_db == sha1($submitted_pass).
|