Phillip S. Baker wrote:
> Okay Gents and Ladies,
> I am looking for more information on how best to do this.
> I have a MyQSL back end.
> It houses a users user_name and password.
> I have a secure area of the site that I only want members to view.
> The way I have it now is that the user logs in.
> If user_name and password match cookies are set.
> Each page in the secure are checks for a variable in the cookie. If set
> the user can view the page, if not set the page redirects back to the
> login page.
> Now first question is - how secure is this?
> Second question - what is a better more secure way to handle this. Then
> most importantly where do I get information on how to go about doing that?
> I know nothing about sessions and would need some good links for that
> Also I do not know much of anything about Object Oriented Programming.
> Thanks for the feedback.
It's not as secure as it could be, IMO.
What is the 'value' in the cookie you are setting? "loggedin=1" or
something like that? If so, people could fairly easily modify that
cookie in a text editor.
What you should be doing is sending a big random value in the cookie,
and matching that value up in a backend DB or file system. In the DB,
keep the status of the user associated with that key.
This is the basic principle behind 'sessions'.
"Then most importantly where do I get information on how to go about
You come to our PHP training class March 25 - 29. :)
PHP Training Courses
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php