Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Use URL Query String to Authenticate in PHP

Normally When I design a site that allow users to login, I create session variables of the user info from the database and ensure that at least one of the session variable is available on each page of the site, else the user would be redirected to the login page like this:

if(!isset($_SESSION['username']))
{
  header("Location:login.php");
}

But then I've been thinking lately, instead of using session variables to authenticate users, why not use the query string. My idea is to create a unique string which is based on some factors, like date(month, year, day) or access time(day, hour) or ip address, and maybe hash it using md5 so the url might look like this

://mysite.com/dashboard?auth=12jsdnnau819wiskj3jdnck23ksj12j3.

So now I can easily logout a user if he has not accessed the site for more than one hour or more than one day. But I do not know if this is a good idea, that is why i am here, to seek for advice on a better way to go. Thanks all.


1 Answers

Because URLs:

  • Leak easily
  • Get bookmarked
  • Don't carry their data over automatically when the user opens a new tab and navigates back to the site

and because nothing is stopping you from storing the same data in a session and using that to easily logout a user so it doesn't even add the one benefit you highlight.

like image 105
Quentin Avatar answered Jul 05 '26 18:07

Quentin



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!