<snip> >What I'm looking to do is when a user logs in, I start up the session.. I >then have the registered session var to verify they are authenticated as >they move throughout the site. > </snip>
This solution is no garantuee that the authenticated user is in control during that session. The only thing you realy *know* is that there was a succesful authentication at the beginning of the current session and you would *assume* that the user is at the client screen during the complete session. (the authenticated user could leave the browser unattended). <snip> >Now, when they close the browser and come back, I want them to still be >authenticated. > </snip> The only thing you *know* for sure is that there was a valid authentication during some *previous* session. And that *some* user has still access to that client based on some client specific authentication (pressing ESC during Windows login dialog). So what's your definition of 'authenticated'. <snip> >What's the most secure way, that's not easily spoofed? > </snip> My point is this. You will never know for sure if the authenticated user is still in control in whatever session (not even the first). If you realy need to be sure, you would use authentication more than once during a session. For example a first time login and then again just before the user wants to post or read important information. If this is of no concern to your application, than it will be no problem to use cookies with some session identifier to allow continuing without authentication during the next session. But it might be wise to force authentication if a user where to enter some kind of admin area of your site during the second session. Success René -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php