Hi Jeff:
On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote:
>
> Is it simply enough to just check that $_SESSION['user'] is present, and
> therefore, by that alone assume the user has logged in and should be granted
> access? Or, should I be verifying the $_SESSION['user'] and
> $_SESSION['pass'] against the database on every page?
If you validate the user/pass before starting a session for the person,
then the existence of the session itself proves the person has logged
in. No? Passing/testing the password on each page is unnecessary and
poses security risks.
Disclaimer: I don't use PHP's session functions for sessions.
What I do in my system is give everyone a session. All folks who
haven't logged in are one user. Once they log in, my session database
associates their UserID with their session. The UserID isn't checked on
each page. When access to a particular page needs to be limited, I
check their permission level (which is in another field of the session
database) to ensure they have the privileges needed to perform the
operation.
Enjoy,
--Dan
--
PHP classes that make web design easier
SQL Solution | Layout Solution | Form Solution
sqlsolution.info | layoutsolution.info | formsolution.info
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
