secure sessions ???

[robcrozier]

ok,

im trying to create a secure logon script that create a session variable for the user so that they can access the secure pages.  However, at present i have created a session variable containing the users 'username' which is pulled from the database when it has been confirmed that they are registered.  This works fine ... though i have my reservations about security.

Surely as it stands it would be pretty feasible for someone to obtain this session variable and access the secured pages.  i have been told that it is a good idea to keep changing the session variable as the user navigates to different pages.  Is this good advice?  And in order to do this would i have to register some sort of session key (like a string of digits or something e.g.  jhdgfhjg55jg5j353543879gg)???  This could then be changed when the user navigates to another page and would also be harder to obtain by a third party.

Any advice would be appreciated, Cheers!

[Daniel0]

I think you should use cookies instead since they are stored on the client's computer and not the server computer (like I think sessions are). You should use an encrypted line (SSL). You should store a session_id as the ONLY cookie on the, the session id should be something random like: [code]uniqid(md5(microtime()));[/code]
Store the session id in a database along with other information. Check the if the session id is set and then get the rest of the data from the database.

I believe that is more secure.

[robcrozier]

thanx, ill give it a go! :)