Not sure how to ask this question... I've always eschewed consulting a database on page loads to determine if a user is logged in, primarily because of latency issues. For example, you could store a nonce like the session ID in a table for a user when they log in. Then each time they arrive at a page which needs certain permissions to access, you'd check the table for the nonce and compare it to the actual session ID or whatever to determine that they're properly logged in. This seems reasonable but suffers from the lag on the database link's query-and-response lag time. So I've always preferred some solution where something is dragged along in a session cookie instead. Maybe something like the hash of user login, email and user name, which wouldn't be there unless you'd put it there on login. But this latter scheme just seems inherently less secure than consulting the table.
Is there any concensus or overwhelming argument one way or the other? Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
