Joe Harman <mailto:[EMAIL PROTECTED]>
on Tuesday, January 25, 2005 4:23 PM said:
> IN MY OPINION... forget the cookies... only use php sessions... but
> like I said IMO.... you can never rely on the end user having them
> cookies enabled... same with things like javascript...
Well, I don't think you should suggest to "forget the cookies" since
cookies are necessary to keep data between sessions. Simple example: To
remember the user's username for the simple purpose of pre-filling the
username field of a form. But if functionality like that is not needed
then you're right, cookies can be ignored.
> 1. get the user's access info... ie username & password
>
> 2. look for the user in the database that stores the access infro
>
> 3. if access is granted, I usually set 2 session variables
> a. $_SESSION['auth'] = TRUE // They are authorized
> b. $_SESSION['user_id'] = {who} // Who is it
> a. $_SESSION['user_level'] = {level} // What level access do
> they have (optional)
Item (a) is redundant. Just use (b) and (a)#2 (hehe.. typo) aka (c). If
the username is present the user is obviously logged in. You don't need
another little buddy yelling, "Yep. He's logged in."
> that should get you started... maybe the second step would be to make
> this stuff into functions...
Functions? Absolutely.
> ... also, IMO.. it's a good idea to make
> a logout script that will distroy that user's active session...
Sure. But sessions timeout after 20 minutes anyway (by default). And do
people even click the logout button/link? I just let the session
timeout.
What you might want to do is something like hotmail where the user can
say "I'm on a public computer" and then lower the timeout to something
like 5 minutes. This way the session will timeout much quicker. And
unless you're an international spy, or a high school girl, you're
probably not at much risk to having someone jump in on your session
while you reapply your poisonous lip gloss, or regular lip gloss as the
case may be.
Chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
