Dependability of sessions question - protected area

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

Dependability of sessions question - protected area

Post by tsg »

hey all, I really hope this topic is not worn out, but I have been searching the forums and can't seem to find the answer I need.

I am wanting the best way to protect my clients admin areas I create for them. I normally use a .htaccess file to do so, but I would like to perhaps use a different method.

I use sessions on several websites to protect certain "member's only" areas, and "seems" to work fine. Basically when someone logs in, it sets session variables like $_SESSION['loggedin'] = "true"; $_SESSION['id'] = "id123"; .. then on the pages I have protected, I do a check to see if 'loggedin' == true and !empty 'id' , if either false, headers to the log in screen.

Is the sessions method above secure enough to protect my clients admin areas? I don't ever register the password in the session, and I have them MD5's in the database.

Also, will every browser obey the session information? Meaning, will it ignore sessions and allow access any ways?

Thanks in advance and look forward to your comments.

Tim
bionicdonkey
Forum Contributor
Posts: 132
Joined: Fri Jan 31, 2003 2:28 am
Location: Sydney, Australia
Contact:

Post by bionicdonkey »

it should be fine. the session info is parsed by the server so the output is html so all browsers will be fine. this sound pretty similar to the way i did my auth stuff. just make sure you look at all persectives when coding it. for maximum security, don't leave anything out because you think it can't happen.
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

Post by tsg »

Thanks for the feedback. I felt like the method I was wanting to use would be pretty secure, but didn't know.

Tim
Post Reply