--- Scott Fletcher <[EMAIL PROTECTED]> wrote: > Is there a really good way to use PHP Session to tell whenether the > user is authorized user or not?
Yes, there are many good ways, and I'm sure I'm not even aware of many of them. > I see one problem here, let's say the user tried to access certain > webpages that are unauthorized then I get to kick the user out. But > when the user logged in, we assigned a session token to it, then > the user become an authorized user. That's where I have a problem > here. I don't understand your concern... > Suppose when the user closed the browser window without logging off > or use the existing session id when firing up the browser or on the > other browser. (Sort of like copy and paste the URL address from one > browser to another). There, the user will still be an authorized user > without logging in. This is something that don't need to happen. So, you're worried that a user who doesn't log out will still be logged in? At some point, the user is going to have to be responsible for his/her own actions. After all, I can log into my bank's Web site and then let someone else use my computer, and there's no way my bank can prevent it. Session cookies (those with no expiration date set) are expired whenever the browser is closed, so that eliminates the concern about a cookie being used to continue a session. Using a session identifier in the URL will work, but you can easily tell if it's a different browser as you describe, so you can do whatever you want when that happens (ask them to enter their password again, require them to completely log in again, etc.). My advice would be to read more about sessions in the PHP manual. There is no substitute for a good understanding about what PHP is doing for you. Also, there is a free article on session security that you can find here: http://www.phpmag.net/ssl/phppdf/ Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
