Ok, I'm probably asking something that's been asked rediculous amounts of times before, but I'll go ahead and ask again since I'm finding it difficult to find a common method, or a preferred login and session handling process. So, here goes... I am trying to do what everyone else in the web industry is doing, but I'm a bit new to session handling and login authentication. I have apache + mysql + php4 + ssl on my RH6.2 machine. I have --enable-track-vars on and this is my current setup: 1. login page has username and password text boxes and a link to my https login.php page. 2. after submit, login.php starts a session, opens the database, checks username and password, if valid ?? sets session variable $LOGGED_IN or something like it, sets $USERNAME, and loads the default php page for the user. If not valid, sets a session variable indicating the error, loads the login page again and displays an error message. login page destroys the session. 3. default page loads and check the value of $LOGGED_IN. if 1, then continue loading page for $USERNAME, otherwise loads login page with error. All other pages follow this same procedure. Questions about this: - I also want to have a timeout on the login, user configurable. How would I add this in? Initially a 3 hour timeout would be nice. I'm storing last login and last activity times in the databse as TIMESTAMP values. Should I check this along with $LOGGED_IN before loading the pages? - What is the default timeout on a session? Can I configure that somehow? I can't seem to find a way to make php changes... someone mentioned php.ini somewhere, but I've modified this file with no effect. Even when moved to the configured directory for php.ini (found by doing phpinfo() call). Any assistance, although most likely redundant, would be appreciated. There's so much to sift through and perhaps if someone just points to a good doc on authentication processes, that would help. Thanks for all the help, johnny p. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]