Jump to content

Archived

This topic is now archived and is closed to further replies.

sharpdust

Best For Validation

Recommended Posts

In the tutorial "Creating a Membership System". To check if a user is logged in or not they check to see if the session first_name variable matches.

[code]function session_checker(){
if(!session_is_registered('first_name')){
include 'login_form.html';
exit();
} [/code]

Is this really secure? Wouldn't it better to check if the user has the right username or better, the right userid #?

Share this post


Link to post
Share on other sites
Of course that's infinitely more secure. I suggest you hash both the user id and the password in the session using md5 (for the password I think yyou should md5() it twice). Then for each page you compare the user name and the password with the ones in the session before you do anything.

Share this post


Link to post
Share on other sites
Alternatively, use the user/pass/whatever to create a unique sessionID, and store that, and then just check that on every page.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.