[SOLVED] login help

[Stephen68]

Hello all!

 

Ok I know this has likely has been beat to death and I have read lots, but I just want put my thoughts down

and see if you find gents agree.

 

I wrote a login script that protects from all the things I want it to. What I would like to know is checking on the pages that they move to.

 

Do I

1.) Check to see if $_SESSION['username'] exists

2.) Check that session value against the one in the database to see if user exists.

3.) If user does exists then let them view the page.

 

 

I have read someplace that you should check to see if passwords match. I use sha1() on my passwords

so should I put the hash into a session and check to make sure it match's what is in the databse on each

page load? There are only going to be 5 or 6 users top using the pages so maybe that would be a way to go.

 

Anyway as always any input suggestions would be more the appreciated.

 

 

Stephen

[Garethp]

You could, but if your login is secure, there's no point.

 

See, they can't edit $_SESSION['username'], only your code can. So there's no point if your login code is secure

[Stephen68]

Ok that is good to know, what I have been doing is getting browser agent and putting that into a md5() and checking

to see if user name is set then in the md5() agent matchs. Not sure if that extra is worth it from reading what you said

but I guess it couldn't hurt either right?

 

Stephen

[Garethp]

No, it couldn't hurt