Something about header() and security of forms

Question

I'm building a login system and I'm also looking to make it a little more secure. I won't post my whole login process file as it's not done yet but I do need a short to-do-style list to make the whole system more secure. I know using PDO's prepared statements helps against SQL injections. I'm obviously also hashing the password with a salt. Is there anything else that's critical? Would really help me!

I also read somewhere that using header() is not recommended in forms. (for example: to redirect a user after the registration process is done.) Is this true or not? And what are some other alternatives?

By the way, the form data will be processed in another page obviously, and I was wondering if it's possible to send back errors from the process file (e.g "The username is too short"). I know it's easily doable with jQuery's .post() and the callback function but I'm just curious :D

Answer 1

Here's my suggestion about login system:

• store user's ID in cookie
• generate special token and hash+salt and store them in cookies
• store everything in database
• get data from cookies on every page load and try searching for them in database
• if not found, then logout a user
• change token on every page load

You can use header() to redirect user, but also use die() or exit() after it, because if you don't use one of them, a rest of your code will continue execution.

Answer 2

Sure, you can send back errors. For example, if you have

<form method="post" action="action.php">
  <input type="text" name="username" />
</form>

then in action.php, when checking for length of $_POST['username'], if it's too short, do something like

 print('<p class="warnings">The username is too short; it must be between X and Y characters.</p>');
 require('yourform.php');

where yourform.php contains the HTML for the form above.