The pages in my site are made of the actual page, and header.php and footer.php, which are included.
In header.php, i have:
Code: Select all
session_start();
session_regenerate_id(true);
Code: Select all
$clean['query'] = mysql_query("SELECT first_name FROM users WHERE activation_key = '{$clean['activation_string']}'");
if (mysql_num_rows($clean['query']) == 1){
$clean['row'] = mysql_fetch_array($clean['query']);
mysql_query("UPDATE users SET activation_key = NULL, user_level = '2' WHERE activation_key = '{$clean['activation_string']}' LIMIT 1");
if (mysql_affected_rows($dbc) == 1){
session_regenerate_id(true);
$_SESSION['user_level'] = 2;
$_SESSION['first_name'] = $clean['row']['first_name'];
//
// some memory freeing and irrelevant stuff here
//
}
Code: Select all
$clean['query2'] = mysql_query("SELECT first_name, user_level FROM users WHERE username = '{$clean['user']}' AND password = '{$clean['password']}' AND activation_key IS NULL");
if (mysql_num_rows($clean['query2']) == 1){
$clean['row'] = mysql_fetch_array ($clean['query2']);
session_regenerate_id(true);
$_SESSION['user_level'] = $clean['row']['user_level'];
$_SESSION['first_name'] = $clean['row']['first_name'];
//
// some memory freeing and irrelevant stuff here
//
}
Code: Select all
if ($_SESSION['user_level'] >= 2){
echo 'Welcome, ' . $_SESSION['first_name'] . '!';
}else{
// display login form (a user can't login if they have not confirmed their email, so user level is either 0-unregistered or 2-registered)
}
1) Will using "true" in session_regenerate_id(true) cause any implication when someone clicks the "back" button in their browser (or any implication for that matter)?
2) Is using "user_level" a good way of authenticating if a user is logged in or do i have it wrong? At present, the identity of a user is of no importance, i just want to know if they are registered (and confirmed) or not.
Do i have it right or am i doing it wrong? My primary concern is around session functionality/security, i would like to know if i'm vulnerable to some sort of attack that i've missed, and if yes, some sort of directions on what can i do about it would be helpful. But any other comment is welcomed.
Thank you very much,
Leandro