Eiolon Posted May 4, 2007 Share Posted May 4, 2007 I created a login script that uses sessions but I am wondering if I am using the right approach. Right now, if a session is valid, the user can see the secured page. If not they are redirected to the login page. This is the code for the secured page. <?php # main.php // Start the session. session_start(); // Check for the session value. if (isset($_SESSION['username'])) { echo '<p>Welcome back, '.$_SESSION['username'].'.</p>'; } else { // Quit the script and redirect to login page. header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname ($_SERVER['PHP_SELF']) . "login.php"); exit(); } ?> So as you can see, the session is the user's username. That works for what it does but lets say I want to pull more data from the user over to this page, such as their permissions, personal info, etc. Should I be passing that info through as sessions? Or how about, instead of the username, should I be passing the users id through then on the secured page query for data based on the user id? Thanks for your help and I hope this I could explain it clearly for you to understand. Quote Link to comment Share on other sites More sharing options...
taith Posted May 4, 2007 Share Posted May 4, 2007 yes, in the long run... userid's are by FAR more useful then usernames... then you can access user info wherever you want... however.... what i do, is on login, i put all the user info into a session ex... $_SESSION[userinfo]=$row;... that way if you want the username... you just $_SESSION[userinfo][username]; or the id $_SESSION[userinfo][id]; Quote Link to comment Share on other sites More sharing options...
Norin Posted May 4, 2007 Share Posted May 4, 2007 Im also using an array for my session, wonder if the ID would give better performances ??? Quote Link to comment Share on other sites More sharing options...
Rottingham Posted May 4, 2007 Share Posted May 4, 2007 yes, in the long run... userid's are by FAR more useful then usernames... then you can access user info wherever you want... however.... what i do, is on login, i put all the user info into a session ex... $_SESSION[userinfo]=$row;... that way if you want the username... you just $_SESSION[userinfo][username]; or the id $_SESSION[userinfo][id]; If this method is pulling from the database, it would not recommend using this example, as you more than likley have $_SESSION["userinfo"["password"] available as well, which creates a serious security leak. If that is not a concern of yours, then continue. Storing the ID value is much nicer. When I check for log in I use if(isset($_SESSION["UserID"])) continue; else Goto("login.php"); Quote Link to comment Share on other sites More sharing options...
taith Posted May 5, 2007 Share Posted May 5, 2007 well... on login... just unset($_SESSION[userinfo][password]);... but if you use your own encrypter, even having the password would be completly useless to anyone... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.