Which sessions to use when determining if a user is logged in or not

[sorenchr]

Hi there, quick question:

 

For determining if a user is logged in or not, when he/she is surfing on your site, what would be the best way to check this?

 

Currently i have two sessions which i check, 'username' and 'loggedin', 'username' is of course the username, and 'loggedin' can have a value of either 1 or 0. Is this fine enough for security? Or is this an open invitation to session highjacking?

 

The users passwords are sha1 encrypted before they are stored in the db. I'm thinking of using a 'password' session (instead of 'loggedin'), and then match up 'username' and 'password' with the db instead of just checking if 'loggedin' is 0 or 1. Would this be a more secure solution?

 

Thanks for your time.

[PFMaBiSmAd]

You already have an open thread with this same subject, don't start another thread for it -

http://www.phpfreaks.com/forums/index.php/topic,230014.msg1065102.html#msg1065102

 

[sorenchr]

Could you delete my old thread then?

[sorenchr]

You know as well as i do, that nobody is gonna look up that old thread. And my question hasn't really been answered yet.

[timmah1]

if(isset($_SESSION['SESS_LOGGEDIN']) == FALSE){
	header("Location: " . $config_basedir . "login.php?error=1");
}