cigardude Posted June 4, 2009 Share Posted June 4, 2009 Hi, how is everyone doing? I have been developing a web site with PHP for a for months now and everything is going well. I am up to coding the log in system for it and I have a few questions about the logic of it. I know how to code it but I want to bounce a few questions off of you guys. I am going to use sessions to keep track of the loged in user. I have a form that the user fills out, checks those variables against the database and if it is correct I want to store some variables in the session so I know who the user is. If it's not correct the user gets prompted again. Here is where I am running to a wall. I was planning on storing the userid, email address and user name in the session. 1. Do I need to check this against the database for each page load? I would think that this would generate a lot of server load, am I incorrect? 2. Is it secure enough to just check to make sure these session variables are set? Is this something that is easily manipulated if they do not have access to the server? If you have any suggestions I would gladly welcome them. Thanks for your time! Link to comment https://forums.phpfreaks.com/topic/160930-solved-log-in-user-system-logic/ Share on other sites More sharing options...
Ken2k7 Posted June 4, 2009 Share Posted June 4, 2009 Why do you need to store email address in a session? Store a unique session ID for each user and check for that. Link to comment https://forums.phpfreaks.com/topic/160930-solved-log-in-user-system-logic/#findComment-849291 Share on other sites More sharing options...
RClapham Posted June 4, 2009 Share Posted June 4, 2009 Someone might be able to correct me if I'm wrong here, but only you can set $_SESSION variables. I don't think that you need to keep checking against the server once the user's validated because you're the one who's set the session. Link to comment https://forums.phpfreaks.com/topic/160930-solved-log-in-user-system-logic/#findComment-849294 Share on other sites More sharing options...
Ken2k7 Posted June 4, 2009 Share Posted June 4, 2009 That's true. cigardude - should the user have to log in again once he or she leaves the page and comes back later? If so, then sessions are fine. If not, use cookies to store a session id. Link to comment https://forums.phpfreaks.com/topic/160930-solved-log-in-user-system-logic/#findComment-849298 Share on other sites More sharing options...
cigardude Posted June 4, 2009 Author Share Posted June 4, 2009 Ken - when the user closes the browser and comes back, the user will need to log in again. I am not saving any cookies to his browser. I was saving his email address because that is he 'user name' for my app. Thank you guys for your answer, I really appreciate it! Link to comment https://forums.phpfreaks.com/topic/160930-solved-log-in-user-system-logic/#findComment-849300 Share on other sites More sharing options...
PFMaBiSmAd Posted June 4, 2009 Share Posted June 4, 2009 If you want your system to have a feature where an administrator can disable/ban an account or you have user permissions/groups where you can be promoted or demoted, you do need to check the database on each page request, like what is done in all the major Forum scripts. And sadly, if register_globals are on, a hacker can set the values of variables that are used in your script that you are expecting to come from session variables. Link to comment https://forums.phpfreaks.com/topic/160930-solved-log-in-user-system-logic/#findComment-849307 Share on other sites More sharing options...
cigardude Posted June 4, 2009 Author Share Posted June 4, 2009 If register_globals are off, will I be ok? I am going to be running on a VPS so I will have full control over settings like that. Link to comment https://forums.phpfreaks.com/topic/160930-solved-log-in-user-system-logic/#findComment-849369 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.