Page 1 of 1

Login forms and sessions

Posted: Thu Oct 05, 2006 7:56 am
by impulse()
Hopefully you can help me in evaluating security.
At the moment I have a shop site, it's not open to the public, it's just a test site. And I have a login form on the left with a username and password field and a submit button. When the user hits submit it takes them to a different PHP form where it determines if the user and password match those in a DB, if it doesn't a variable ($loggedIn) continues to be '0' but if the details do match those in a DB the value of $loggedIn is changed to '1'. $loggedIn is a session variable by the way.
If the main website detects that $loggedIn is equal to 1 it displays admin tools such as buttons and text fields to edit and add DB entries.

Is this a safe way of running a site or is this sufficiant?

Regards,

Re: Login forms and sessions

Posted: Thu Oct 05, 2006 8:47 am
by volka
impulse() wrote:$loggedIn is a session variable by the way.
Then you're using the old, stone-age session_register().
Use $_SESSION instead. Sess http://de2.php.net/manual/en/ref.session.php

Posted: Thu Oct 05, 2006 10:24 am
by Luke
other than what volka said, you're on the right track.