Check Session Is Authenticated

[AdamB]

Hi,

 

I'm using a PHP function to protect access to some pages. I'd just like to check some finer points on the security of this function.

 

The code I'm using is:

 

function is_authed() { 
    if((isset($_SESSION['userid'])) && (md5($_SESSION['accesslevel'] . $_SESSION['lastlogin']) == $_SESSION['encrypted_key'])) {
return true;
    } else {
        return false;
    }
}

 

The session variables are set when the user logs in. This access check function is called at the top of every page.

 

My questions are:

 

• Is this the most secure way of checking the user is verified?
  
• Can you think of an instance in which these session variables could be bypassed?
  
• Is it possible for a user to view the content of the session variables, then trying to guess what checks I'm performing and engineering a work around?
  

 

I'm sure any gaping holes would be found by a hacker if they had the time and inclination. My hope is to secure any holes so that door is closed.

 

Many thanks for any advice!

 

Adam