You are also assuming that the session hasn't been hijacked.
Other things you can do are store the user's UserAgent in a session var
and check it on every page (session spoofer MIGHT be using a different
browser), and do likewise for IP address. Although remember that AOL
users will have problems with this, since their requests do not always
originate from the same IP address. There is a class on the zend
website, called "Introduction to Classes" or something, that has a nice
security class you can use.
But to answer your question, I don't think you need to check another
session variable to see if they're logged in. If they have user_id
session variable, then they have a session, and are logged in, afaict.
You're really testing different elements of the same $_SESSION array, so
the presence of any session var means that a session is established.
Erik
On Friday, June 7, 2002, at 11:25 AM, Jeff Field wrote:
> Quick question...
>
> I have a site where user's log in, they put their user name and
> password in
> a form and if they are verified against the database, session variables
> are
> created,
>
> $_SESSION['user'];
> $_SESSION['pass'];
>
> and they get sent to the next page by way of,
>
> header("Location: https://www.mysite.com/login/";); // not a real site
>
> On that page, and all other pages for which I want to control access, I
> then
> put a little access control script (actually, an include file) at the
> top of
> each page that checks to see that $_SESSION['user'] is present. If
> $_SESSION['user'] is *not* present, I send them back to the login
> page. If
> $_SESSION['user'] *is* present, they're granted access to the page.
>
> Here's the question:
>
> Is it simply enough to just check that $_SESSION['user'] is present, and
> therefore, by that alone assume the user has logged in and should be
> granted
> access? Or, should I be verifying the $_SESSION['user'] and
> $_SESSION['pass'] against the database on every page?
>
> The reason I ask is that an article (tutorial) on access control runs a
> script that hits the database every page. But, to me, that seems like a
> waste because simply having the $_SESSION['user'] present means they've
> already logged in. Am I missing something here?
>
> Thanks, as always!
>
> Jeff
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
----
Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
