Best (safest) way for navigation
Posted: Wed Dec 12, 2007 7:23 am
Hi all again, getting some very useful feedback to my questions, so I wanted to ask something else.
What is the safest way to navigate a signed in user around a website?
We need to know the users id through the site to make pages dynamic, but also ensure against any security issues.
I have used sessions before, and it would be possible to place the userid within this array, but is this particulaly safe?
For example,
lets say we have a login form on the index page so people can quickly log in (might include some basic JS validation for the benefit of the user, don't worry - I am not relying on this validation)
This login form data then gets sent via $_POST to sign-in.php which validates the user input to make sure it is correctly formatted (type, length and REGEX pattern), processes it and checks if it matches any userid's information in the database, if it does it returns the users id. If not, we stay on this page and it outputs an error string saying to re-enter information as it was incorrect.
If however it was successful, I then want it to automatically redirect the user to his/her profile page. Is it best that we set the session varibles on the previous sign-in.php, then retrieve this on the profile page to display their details. Is this a particular secure method, or is there a better way?
What is the safest way to navigate a signed in user around a website?
We need to know the users id through the site to make pages dynamic, but also ensure against any security issues.
I have used sessions before, and it would be possible to place the userid within this array, but is this particulaly safe?
For example,
lets say we have a login form on the index page so people can quickly log in (might include some basic JS validation for the benefit of the user, don't worry - I am not relying on this validation)
This login form data then gets sent via $_POST to sign-in.php which validates the user input to make sure it is correctly formatted (type, length and REGEX pattern), processes it and checks if it matches any userid's information in the database, if it does it returns the users id. If not, we stay on this page and it outputs an error string saying to re-enter information as it was incorrect.
If however it was successful, I then want it to automatically redirect the user to his/her profile page. Is it best that we set the session varibles on the previous sign-in.php, then retrieve this on the profile page to display their details. Is this a particular secure method, or is there a better way?