Why do you need the secret variable? If your server is set up correctly, the
user can't create any session variables, all they can do is create a session
ID. So you could just check for a user-id and you'd be good.

---John Holmes...

----- Original Message -----
From: "Jackson Miller" <[EMAIL PROTECTED]>
To: "'Bryan McLemore'" <[EMAIL PROTECTED]>
Sent: Monday, September 23, 2002 4:06 PM
Subject: RE: [PHP-DB] advise needed for 'authorized only' site

> > you could make them log in once per session and just have
> > every page check and see if they already have logged in and
> > if they have not then trigger the login mechanism.
> >
> This is what I do.  I have a file/function called verify that I call at
> the top of every page that I want secure (and any page that might just
> perform an action and then redirect to a page that displays content).
> Here is how my authentication system works:
> 1) On any page a session is started if one doesn't already exist.
> 2) When they submit they submit login information it is checked against
> the database.
> 3) If the login is approved, I session_register() the user_id field, the
> user_level (if applicable), and a variable called valid.
> 4) I set valid = to the md5 hash of user_id.user_level.secret_variable
> (secret variable is a variable set in the code so only the server knows
> it.
> 5) on every page the verify function checks to make sure that the
> variable $valid is equal to the md5 of
> user_id.user_level.secret_variable  (This works because the session
> knows the user_id, and user_level, and the server knows the secret
> variable).
> Hope this helps.
> -Jackson
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to