Hopefully you can help me in evaluating security.
At the moment I have a shop site, it's not open to the public, it's just a test site. And I have a login form on the left with a username and password field and a submit button. When the user hits submit it takes them to a different PHP form where it determines if the user and password match those in a DB, if it doesn't a variable ($loggedIn) continues to be '0' but if the details do match those in a DB the value of $loggedIn is changed to '1'. $loggedIn is a session variable by the way.
If the main website detects that $loggedIn is equal to 1 it displays admin tools such as buttons and text fields to edit and add DB entries.
Is this a safe way of running a site or is this sufficiant?
Regards,
Login forms and sessions
Moderator: General Moderators
Re: Login forms and sessions
Then you're using the old, stone-age session_register().impulse() wrote:$loggedIn is a session variable by the way.
Use $_SESSION instead. Sess http://de2.php.net/manual/en/ref.session.php