Sessions make life so much eaiser, in my opinion. I used to do what you do, passing from one page the next. Now, when a user successfully logs in, ONE line of code passes all the necessary variables from page to page without me having to do a damn thing.
I don't personally see TOO much wrong with passing the encrypted password along, especially since you aren't displaying it in the URI's query string. BUT, if someone DID get a hold of the encrypted password, they can run millions of words through md5() until one matched. I would hope that people aren't bored enough to do that, but past actions have proved that wrong. The magic line: session_start(). That's it. It holds ALL information about the session, and makes my life SO much eaiser. HTH Martin >>> "Peter" <[EMAIL PROTECTED]> 07/03/02 03:32PM >>> On my site, when a user logs in, their password is encrypted using md5() and the username and encrypted password is then passed from page to page using hidden form inputs (clicking on a link submits the form using POST). Does anyone have any comments on this method e.g. security wise? I know I could use sessions or cookies but is it relly necessary? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php