Validating sessions

[fizix]

First of all: Hi everybody!

Second: This may be a loaded question BUT, what is the best way to validate that a user is logged in? I'm using:

[code]session_start();
$_session['username'] = "$username";
$_session['ip'] = $_SERVER['REMOTE_ADDR']; [/code]

to start a session. However, how do I verify on future pages that they've logged in and have a valid session?

[Psycho]

Depends on the circumstances. You could simply create a session variable called $_SESSION['loggedin'] and set to 1 when they go through the log in script. Or, if security is an issue you may need to store the username and hashed password or a temporary key to validate on every page.

[fizix]

[quote author=mjdamato link=topic=118641.msg485009#msg485009 date=1166123941]
Depends on the circumstances. You could simply create a session variable called $_SESSION['loggedin'] and set to 1 when they go through the log in script. Or, if security is an issue you may need to store the username and hashed password or a temporary key to validate on every page.
[/quote]

Am I right that anybody could put loggedin=1 in their cookie if they wanted? Is there a way to validate using their session ID?

[SharkBait]

Some people store the session_id() into a database and check against that. If it has changed, then the user isnt the same or they closed their browser.

[Psycho]

[quote author=fizix link=topic=118641.msg485012#msg485012 date=1166124309]
Am I right that anybody could put loggedin=1 in their cookie if they wanted? Is there a way to validate using their session ID?
[/quote]

Um, did you even bother reading the 2nd part of my post? " if security is an issue you may need to store the username and hashed password or a temporary key to validate on every page".

The basic idea is to store all the temporary data in a table in the database that is tied to a unique session identifier you assign to a user when they log in. And you make that identifier time sensitive.