[SOLVED] whats the best way to transfer variables between pages?

[rmmo]

hi all.

 

im trying to figure out the best way to do this:

 

when my user enters his/her username and password into a form they are posted to the next page where they are assigned to $username and $password and then checked against the database (this all works).  now i want to use these two bits of data on vitrually ever subsiquent page... is there any way to carry them over to all the other pages other than making invisible forms to post them? (i allready have forms posting other data.)  if so could someone explain how i could do it.

 

thanks very much for reading

and thanks in advanced for any help you may be able to offer.

 

RMMO   

[papaface]

sessions:

session_start();

$_SESSION['username'] = $_POST['username'];

Must have session_start(); at the top of every page you want to use/create/edit session vars.

[TransmogriBenno]

Hidden form fields are awful; use sessions. You only need to store one value - the username, or whatever is the primary key of the table that stores the users - since you've already done the check against the database.

[DarkWater]

@TransmogriBenno: He should store the whole user data array that he gets from the query in the session so he doesn't need to requery again just to display say...the username or something.

[.josh]

@TransmogriBenno: He should store the whole user data array that he gets from the query in the session so he doesn't need to requery again just to display say...the username or something.

 

I disagree.  If a session is hijacked, I'd rather only a single abstracted id be available to the hacker than all the info on a silver platter be just handed to them.

[thatsgreat2345]

But if he utilizes some techniques such as changing session ID with http://php.net/session_regenerate_id will hijacking really be a major issue?

[DarkWater]

Unless you echo the password out, they can't do anything with the session.  The session being hijacked only means that the "hacker" can access things that the user could access, which is no less secure than just storing the session ID.

[.josh]

But if he utilizes some techniques such as changing session ID with http://php.net/session_regenerate_id will hijacking really be a major issue?

 

It makes it harder, but not impossible.

 

Unless you echo the password out, they can't do anything with the session.  The session being hijacked only means that the "hacker" can access things that the user could access, which is no less secure than just storing the session ID.

 

Okay well then how about packet sniffing?

[DarkWater]

But you're not transferring the password over TCP/IP, it's just stored in the session.  Hijacking sessions and actually robbing your server of the session files are two completely different things.  Unless you had a page like:

 

hackme.php

session_start();
echo serialize($_SESSION);
Password: $_SESSION['password'];

 

You should be fine.

[TransmogriBenno]

@DarkWater

 

I agree re: storing additional data in the session, under 2 conditions:

1. The other data needs to be displayed somewhere (it might not, I build a lot of systems in which this is the case) - best to store as little data in the session as possible.

2. The session is updated as soon as the row is updated by the user, e.g. if there's an "update my details" form - stale data is ugly.

 

There is also an issue if the actions of admins or others affect the situation, e.g. if an admin bans or deletes a user, you need to check the database every time they view a page, otherwise they can stay on until their session times out.

[rmmo]

great, that worked a treat!

 

interesting disccusion guys.. i think you came to an agreement at the end of it... both ideas are great depending on the needs of the system... ill just store the usrnm and paswd in this case as they are the only bits i need later on.

 

thanks to both of you!

 

my problem is answered! so this post is <SOLVED>