hey all, I really hope this topic is not worn out, but I have been searching the forums and can't seem to find the answer I need.
I am wanting the best way to protect my clients admin areas I create for them. I normally use a .htaccess file to do so, but I would like to perhaps use a different method.
I use sessions on several websites to protect certain "member's only" areas, and "seems" to work fine. Basically when someone logs in, it sets session variables like $_SESSION['loggedin'] = "true"; $_SESSION['id'] = "id123"; .. then on the pages I have protected, I do a check to see if 'loggedin' == true and !empty 'id' , if either false, headers to the log in screen.
Is the sessions method above secure enough to protect my clients admin areas? I don't ever register the password in the session, and I have them MD5's in the database.
Also, will every browser obey the session information? Meaning, will it ignore sessions and allow access any ways?
Thanks in advance and look forward to your comments.
Tim
Dependability of sessions question - protected area
Moderator: General Moderators
-
bionicdonkey
- Forum Contributor
- Posts: 132
- Joined: Fri Jan 31, 2003 2:28 am
- Location: Sydney, Australia
- Contact:
it should be fine. the session info is parsed by the server so the output is html so all browsers will be fine. this sound pretty similar to the way i did my auth stuff. just make sure you look at all persectives when coding it. for maximum security, don't leave anything out because you think it can't happen.