Hi guys, as a couple of you guys might know from my last post if you read it.
I am looking into making my site more secure.
Anyway i have setup the login so that the login sets a session and when submits the login form it checks if session is active.
If the session is not active it disables the form and asks for the user to enable sessions.
If sessions are enabled then the form generates.
It then checks the username, not the password yet.
If the username is not correct it gives a session of login attempt +1 and when it reaches 3 it then locks the form and gives a message
If the username exists it then pulls from the database the salt, pepper and password so it can then check against the password given.
The passwords are mashed together with the salt and pepper and sha256 encrypted.
If the password does not match it then gives a session of login attempt +1 and when it reaches 3 it then locks the form and gives a message.
If all is ok it then does all the magic.
Incase anyone is thinking how i am including the username into the database, i am using the prepared statements of PDO which for what i read takes care of any nasty people.
anyway my question is: Is this a secure way of doing things?