Writing, or rather, upgrade the management system for users of the website a small Internet store. In the process of working on the algorithm appeared four questions:
1. Is there any point when registering a new user send him a letter forcing you to activate your account by clicking on a link, or is it better to do without it?
2. For example, the user registered. Does it make sense for the login except username and password, provide the checkbox "Remember me" or remember all by default, minimizing the various issues?
3. If authorization is successful, I write in the session the username and double password hash from the database (in the database itself, stored in a double hash of the password), and cook in a token autologin:
$token = md5(time().$username);
setcookie('token', $token, time ( ) + 2592000, "/");
$res = $db->query("UPDATE users SET token = '".$token."' WHERE username = '".$username."'");
Different tutorials, sites and forums in different ways to solve this problem. Than cons of my decision? Whether has sense to add "salt", such as the password hash or token:
define('MY_SALT', 'KEJ2FHE#WJFHW758');
4. When you access each page I check for session data and then I have a mandatory request to the database, something like this:
if ( isset ( $_SESSION["username"] ) && isset ( $_SESSION["userpass"] ) ) {
$db->query("SELECT * FROM users
WHERE username = '".$_SESSION["username"]."'
AND userpass = '".$_SESSION["userpass"]."'
.....}
But some manuals and books do simply: if there is session data, show the page, if not — are not allowed while the database query is not, for example:
if(isset($_SESSION['user_data']))
$message[] = "Welcome, ". htmlspecialchars($_SESSION['user_data']['login']) ."! Glad to see You on the website";.........................
How do you think more intelligently? Thank you.