User System

[Guest daleosmond]

Hey,
im developing an user system and im going to use session but im stuck on what to do.

option 1;
user signins with correct password and user ----> creates an session with there ip, user-agent and username ---> php checks if there ip and user-agent is the same of the values in the session ----------> user logged in.

option 2;
user signins with correct password and user ----> create session with username, password ----> php gets the users username and password check the database if the detal are correct -----> users loggedin

could anyone please tell me whats best or even tell me a better way?

thanks! [img src=\"style_emoticons/[#EMO_DIR#]/smile.gif\" style=\"vertical-align:middle\" emoid=\":smile:\" border=\"0\" alt=\"smile.gif\" /]

[ober]

#2 is a better way to go.

#1 is dependent on the user always using the same IP (that's going to fail) and also depends on the user-agent (also a very bad idea).

I'm not even sure why you're considering #1.

[Buyocat]

I'm not sure if I'm following you, but why not check the user with a form for password and username as you outlined, then upon successful entry the user is given a session holding, at least, his personal id (the key value for him in the user table). You could put more there too, but I wouldn't put passwords there or other sensitive information. Generally, I think you should put as little as possible, only what you'll know you will need, so definitely the user id and maybe username? Anyway hope that helps, Buyo.

[Guest daleosmond]

but wont #2 create higher server load?

[ober]

Slightly, but it shouldn't be an issue and #1 WILL NOT WORK. Period. If I were to look up the IPs that I've used personally to log into this site, I'd probably find at least 8-10. And I use a variety of web browsers, so the second part of that isn't going to work either.