I didn't get why the session is being started in the very first. I've created a simple login form in php without CSRF protection, there I used to start the session only when user entered credentials are correct. Please help me dispel my confusion.
either way is good. Session_start() only create session file in server, but the key and value is created after the user enters the correct credentials.
Great tutorial, thanks. I tried a couple of others before finding yours and yours is definitely far better.
So where you set the $max_time if you set it for 300, which is in seconds, that will be 5 minutes?
5 minutes means 5*60 right?
@@worldfap either way works, 5*60 = 300
Create CSRF Token for every form request or only create token when user login ?
for every post methods
I didn't get why the session is being started in the very first. I've created a simple login form in php without CSRF protection, there I used to start the session only when user entered credentials are correct. Please help me dispel my confusion.
either way is good. Session_start() only create session file in server, but the key and value is created after the user enters the correct credentials.
md5 is not a garuanteed security
can i get the source code ?