Hello everyone,
I (FINALLY) finished my first php login scripts, and they are working flawlessly (without hackers, of course)
However, as an added measure of security, I had a thought.
Would it be smart at the time of login of the user to set two session vars of the username and password of the user, so that each time a user accesses a various page you can use the vars to check against the database that that combination actaully exists? I understand that I only make the session var once the user is authenticated, however, would it be possible for a hacker to alter these session vars in between pages and allow him access to a page? 3
Or would it be secure enough just to have one ['userWhichIsOnline'] session var which is only set if the user is authenticated?
Also, along the same lines, are session vars the de facto standard for user authentication in PHP?
Thank you for the great help as I embark on my journey of security-finding! (Dental Website + Hackers + Bad Security = BAD NEWS)
thanks!
Check database each time user accesses a page using $_SESSIO
Moderator: General Moderators
-
freedomflyer
- Forum Newbie
- Posts: 1
- Joined: Mon Aug 18, 2008 2:15 pm
Re: Check database each time user accesses a page using $_SESSIO
Yes, no sense in keeping the credentials in the session (not to mention the hugely increased security risk if someone on the server steals the session data).Or would it be secure enough just to have one ['userWhichIsOnline'] session var which is only set if the user is authenticated?
Yes, it's the most common mechanism, although there are surely others. Session vars are just a interface to a persistant storage - you can even change how sessions are stored - i.e. use database instead of flat files. So, as long as you have a place where you can reliably read and write info, it's suitable. This includes database(s), files, shared memory, even cookies (with some caveats).Also, along the same lines, are session vars the de facto standard for user authentication in PHP?