tozjerimiah

Hello. I designed a system a bit back and kinda cobbled it together. I was wondering if anyone could tell me of any security implications with the following setup: Usernames & passwords are stored on disk as a php array. A user enters their username and password into a form. On submit, the page include()s the username file & the checks to see if their username exists is the array. If it does, it checks that the password matches. If it does, a session variable key is assigned (username), with the username as the variable. As the user navigates the site, the session variables are maintained (session_start()), ensuring that a valid user is logged in. Is the above system relatively secure? Yes, it would be better over ssl and yes it would be vulnerable if a user managed to get read access to the files in the directory in which the usernames.php file is stored but it's on a hosting service which I believe to be secure and the uploader system ensures that uploads are stored in a separate directory with valid file extensions (.jpg etc). Thanks in advance for any advice. Toz