Phillip S. Baker wrote:
> Okay Gents and Ladies,
> I am looking for more information on how best to do this.
> I have a MyQSL back end.
> It houses a users user_name and password.
> I have a secure area of the site that I only want members to view.
> The way I have it now is that the user logs in.
> If user_name and password match cookies are set.
> Each page in the secure are checks for a variable in the cookie. If set 
> the user can view the page, if not set the page redirects back to the 
> login page.
> Now first question is - how secure is this?
> Second question - what is a better more secure way to handle this. Then 
> most importantly where do I get information on how to go about doing that?
> I know nothing about sessions and would need some good links for that 
> arena.
> Also I do not know much of anything about Object Oriented Programming.
> Thanks for the feedback.
> Phillip

It's not as secure as it could be, IMO.

What is the 'value' in the cookie you are setting?  "loggedin=1" or 
something like that?  If so, people could fairly easily modify that 
cookie in a text editor.

What you should be doing is sending a big random value in the cookie, 
and matching that value up in a backend DB or file system.  In the DB, 
keep the status of the user associated with that key.

This is the basic principle behind 'sessions'.

"Then most importantly where do I get information on how to go about 
doing that?"

You come to our PHP training class March 25 - 29.  :)

Michael Kimsal
PHP Training Courses

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to