fizix Posted December 14, 2006 Share Posted December 14, 2006 First of all: Hi everybody!Second: This may be a loaded question BUT, what is the best way to validate that a user is logged in? I'm using:[code]session_start();$_session['username'] = "$username"; $_session['ip'] = $_SERVER['REMOTE_ADDR']; [/code]to start a session. However, how do I verify on future pages that they've logged in and have a valid session? Link to comment https://forums.phpfreaks.com/topic/30673-validating-sessions/ Share on other sites More sharing options...
Psycho Posted December 14, 2006 Share Posted December 14, 2006 Depends on the circumstances. You could simply create a session variable called $_SESSION['loggedin'] and set to 1 when they go through the log in script. Or, if security is an issue you may need to store the username and hashed password or a temporary key to validate on every page. Link to comment https://forums.phpfreaks.com/topic/30673-validating-sessions/#findComment-141331 Share on other sites More sharing options...
fizix Posted December 14, 2006 Author Share Posted December 14, 2006 [quote author=mjdamato link=topic=118641.msg485009#msg485009 date=1166123941]Depends on the circumstances. You could simply create a session variable called $_SESSION['loggedin'] and set to 1 when they go through the log in script. Or, if security is an issue you may need to store the username and hashed password or a temporary key to validate on every page.[/quote]Am I right that anybody could put loggedin=1 in their cookie if they wanted? Is there a way to validate using their session ID? Link to comment https://forums.phpfreaks.com/topic/30673-validating-sessions/#findComment-141334 Share on other sites More sharing options...
SharkBait Posted December 14, 2006 Share Posted December 14, 2006 Some people store the session_id() into a database and check against that. If it has changed, then the user isnt the same or they closed their browser. Link to comment https://forums.phpfreaks.com/topic/30673-validating-sessions/#findComment-141340 Share on other sites More sharing options...
Psycho Posted December 14, 2006 Share Posted December 14, 2006 [quote author=fizix link=topic=118641.msg485012#msg485012 date=1166124309]Am I right that anybody could put loggedin=1 in their cookie if they wanted? Is there a way to validate using their session ID?[/quote]Um, did you even bother reading the 2nd part of my post? " if security is an issue you may need to store the username and hashed password or a temporary key to validate on every page".The basic idea is to store all the temporary data in a table in the database that is tied to a unique session identifier you assign to a user when they log in. And you make that identifier time sensitive. Link to comment https://forums.phpfreaks.com/topic/30673-validating-sessions/#findComment-141349 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.