<snip>

>What I'm looking to do is when a user logs in, I start up the session.. I
>then have the registered session var to verify they are authenticated as
>they move throughout the site.
>
</snip>

This solution is no garantuee that the authenticated user is in control 
during that session. The only thing you realy *know* is that there was a 
succesful authentication at the beginning of the current session and you 
would *assume*  that the user is at the client screen during the 
complete session. (the authenticated user could leave the browser 
unattended).

<snip>

>Now, when they close the browser and come back, I want them to still be
>authenticated.  
>
</snip>

The only thing you *know* for sure is that there was a valid 
authentication during some *previous* session. And that *some* user has 
still access to that client based on some client specific authentication 
(pressing ESC during Windows login dialog). So what's your definition of 
'authenticated'.

<snip>

>What's the most secure way, that's not easily spoofed?  
>
</snip>

My point is this. You will never know for sure if the authenticated user 
is still in control in whatever session (not even the first). If you 
realy need to be sure, you would use authentication more than once 
during a session. For example a first time login and then again just 
before the user wants to post or read important information.

If this is of no concern to your application, than it will be no problem 
to use cookies with some session identifier to allow continuing without 
authentication during the next session. But it might be wise to force 
authentication if a user where to enter some kind of admin area of your 
site during the second session.


Success


René




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to