Dependability of sessions question - protected area
Posted: Sun Nov 23, 2003 1:45 pm
hey all, I really hope this topic is not worn out, but I have been searching the forums and can't seem to find the answer I need.
I am wanting the best way to protect my clients admin areas I create for them. I normally use a .htaccess file to do so, but I would like to perhaps use a different method.
I use sessions on several websites to protect certain "member's only" areas, and "seems" to work fine. Basically when someone logs in, it sets session variables like $_SESSION['loggedin'] = "true"; $_SESSION['id'] = "id123"; .. then on the pages I have protected, I do a check to see if 'loggedin' == true and !empty 'id' , if either false, headers to the log in screen.
Is the sessions method above secure enough to protect my clients admin areas? I don't ever register the password in the session, and I have them MD5's in the database.
Also, will every browser obey the session information? Meaning, will it ignore sessions and allow access any ways?
Thanks in advance and look forward to your comments.
Tim
I am wanting the best way to protect my clients admin areas I create for them. I normally use a .htaccess file to do so, but I would like to perhaps use a different method.
I use sessions on several websites to protect certain "member's only" areas, and "seems" to work fine. Basically when someone logs in, it sets session variables like $_SESSION['loggedin'] = "true"; $_SESSION['id'] = "id123"; .. then on the pages I have protected, I do a check to see if 'loggedin' == true and !empty 'id' , if either false, headers to the log in screen.
Is the sessions method above secure enough to protect my clients admin areas? I don't ever register the password in the session, and I have them MD5's in the database.
Also, will every browser obey the session information? Meaning, will it ignore sessions and allow access any ways?
Thanks in advance and look forward to your comments.
Tim