liad

anyone...?

Thanks to u all... 1. another question, should I use the new-id-regeneration-function at my regular authentication process? 2. and about preventing an injection, would this do for every registration-form input?: [and should I use it before I validate the input himself or only use it after I've checked it and right before I put it in the DB?] function sqlQuote( $value ) { if( get_magic_quotes_gpc() ) { $value = stripslashes( $value ); } $value = mysql_real_escape_string( $value ); return $value; } 3. Any other tips&tricks for special checks or helpful ideas regarding user authentication and security?

Thanks alot for your profound answer... I believe that 9three's if-statement was suppose to be something like: if($_SESSION['HTTP_USER_AGENT']!=$_SERVER['HTTP_USER_AGENT']) maybe? and another thing, why did he used $_SESSION = array(); before trashing the sessions?

You can echo " " wherever there is no value.

I'm not sure I understood what you did here...:S Can u explain what that function does?

anyone about 9three code?

1. You've got a point. So the Level check stays a DB check in every page... Do I need to do something special DB-wise for a large-scale website? Something special I need to take in consideration? 2. Still waiting for a little help about 9three code...

I'm not sure I understood what you did here...:S The only way Ill change their level is if theyll ask for a change. and that will update the DB and the sessions if exists.

Why shouldn't I just save a session with isLoggedIn=1 and level=x, after the user logged in? Wouldn't it be faster? with no need of connection to the DB in each page for each user?

and in that function that will be in the top of every page i would check for his username, password, level and update the timestamp of his last action on my site? Isn't it alot of MySQL actions for a big site?

So in case my site has a few access-levels and different content for different users, I should check all of their information from the DB in every page and not save it in sessions? security and efficiency wise. [and for a site with a lot of users]

Using PHP & AJAX can get you to a nice real-time form validation code.

So why in almost every script I saw on the net, the "is_logged_in" function always checks for a DB entry that correlates to the one in the seesions?

Hey, While building a user authentication system I came up with this question: Once a user logged in, im checking his username and password and in case its all ok, I make some sessions with his info. After he logged in, is it enough to check for a $_SESSION['loggedIn']==1, or should i check his info with the DB entries anytime he goes to another page in my site?

Hey! How can I prevent people from double login into my site? I don't want anyone to login from different computers with the same UserName. thanks.