Quick question...

I have a site where user's log in, they put their user name and password in
a form and if they are verified against the database, session variables are


and they get sent to the next page by way of,

header("Location: https://www.mysite.com/login/";);  // not a real site

On that page, and all other pages for which I want to control access, I then
put a little access control script (actually, an include file) at the top of
each page that checks to see that $_SESSION['user'] is present.  If
$_SESSION['user'] is *not* present, I send them back to the login page.  If
$_SESSION['user'] *is* present, they're granted access to the page.

Here's the question:

Is it simply enough to just check that $_SESSION['user'] is present, and
therefore, by that alone assume the user has logged in and should be granted
access?  Or, should I be verifying the $_SESSION['user'] and
$_SESSION['pass'] against the database on every page?

The reason I ask is that an article (tutorial) on access control runs a
script that hits the database every page.  But, to me, that seems like a
waste because simply having the $_SESSION['user'] present means they've
already logged in.  Am I missing something here?

Thanks, as always!


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to