PHP Login System with Sessions

[mds1256]

Hi

 

What is the best way of handling a login system with sessions, I have read that you should never hold the password in a session, so what should you hold in the session in order to access a users data?

[AyKay47]

validate the users credentials to the credentials in the database, if they are valid set a session like $_SESSION['logged_in']. a user may only enter if that session is set.

[mds1256]

validate the users credentials to the credentials in the database, if they are valid set a session like $_SESSION['logged_in']. a user may only enter if that session is set.

 

Thanks, so is this secure in that no one can just tamper with anything to add a session variable of logged_in with a value of 1?

 

Also how do you then retrieve data about a user from the database it will need some type of reference number, should that be stored in the session too?

[PFMaBiSmAd]

Actually, the best way of handling a user log in is to authenticate the visitor by checking their entered username/password against the database user table and then if there is a match you would store their user id and display information, such as usename, in session variables and switch their logged in/out status to 'logged in' in the user table along with updating the last logged in date/time. The user id stored in the session variable would only serve to identify the visitor. You would then use their identifying user id on each page request to query for their logged in/logged out status and any user permissions or privileges from an ACL (Access Control List) to determine what they can do on any page or what content is displayed on any page for that visitor.

[mds1256]

Thanks for the above that is exactly what I thought but needed someone to confirm this.

 

Thanks again