rv20

If using ajax it should be very quick you may get a slight delay but for a small bit of text you are talking about you shouldn't notice it. Best place to learn is here, http://www.w3schools.com/ajax/default.asp

What do you mean access the login information, YOU could as you are the code writer if that's what you mean. Assuming you know how to setup an html form then if using POST to send you data from the form (you can als use GET) then you need to use, $_GET['element name'] in the PHP.

Are you calling it from a form or what?

Works for me on IE6

I think sessions would work fine.

if could steal your cookies.

So what is the point of all these massive hash values you see in sites like youtube, facebook, paypal etc, i am talking about 100's of character long hashes, i think the hash are sent in hidden fields, maybe not though, i just remember looking at source in the past and seeing these huge what, i assume now, were hashes.

This is exactly what i thought and hence what i am asking, so you are saying that session_regenerate_id(); will solve this? If it was a form POST i think you can send a hash in a hidden field i haven't looked into how this works but i assume this method is secure, that leaves a GET request basically....

The session_regenerate_id(); look like good advice that is the kind of thing i am looking for, anything else?

If you have say a login.php script, or any script, and want to stop it being run directly, or at least check that the referer is coming from your own site then all i can see to secure it are these, depending if it is a GET ot POST method, $http_referer = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST); if ( ($http_referer == "domain.com") || ($http_referer = "80.80.80.80.80") ){} //POST or GET for example if ($_SERVER['REQUEST_METHOD'] == "POST") {} Also how about having a max number of times you an access the page before a lockout, i suppose this would technically be a DOS attack which you would really have to fix at the router?? Basically i am being paranoid thinking that someone could try and break into your site by using a whole variety of tricks and techniques which i don't really know what tricks are out there so don't know what i am trying to secure against. I suppose there is, xss, css explots, sql injection, query string manipulation??, hacking the db directly, other browser exploits......hmmmm

Thanks that has cleared all that up. So if i have a login script and set a session var if all is validated, session_start(); $_SESSION['user'] = $_POST['user']; So that EVERY page that a user then goes to i can add this at the top of the page, session_start(); if(!isset($_SESSION['user'])){ //whatever i have to do, redirect etc... } This allows me to see if the user is logged in, i can have a logout link linking to logout.php with logout.php simply, session_start(); unset($_SESSION['user']); header("location: home.php"); This seems all a bit simple i suppose if someone got hold of your session cookie or maybe there are other exploits (xss) or css injection, to get around this the could compromise your site, what other methods would you use to secure this method of checking for logged into via sessions?

If you set a session on some page, session_start(); $_session['user'] = "someusername"; Then if you unset that session on a different page unset($_session['user']); does that clear this 'user' session on every page or just the page you unset it on?

The error is that username is not defined at, if ( !username ) that part doesn't make any sense.

Ahhh it works, nice, thanks for that, my PHP knowledge has some huge noob holes in it.

So I need session_start(); on the users.php as well as the validate_login.php ?? Beacuse no i don't have it on users.php, i thought you just called session_start(); once ever on whatever page you create the session on. Well that would explain it, i will try.