Phillip S. Baker wrote: > Okay Gents and Ladies, > > I am looking for more information on how best to do this. > > I have a MyQSL back end. > It houses a users user_name and password. > > I have a secure area of the site that I only want members to view. > > The way I have it now is that the user logs in. > If user_name and password match cookies are set. > > Each page in the secure are checks for a variable in the cookie. If set > the user can view the page, if not set the page redirects back to the > login page. > > Now first question is - how secure is this? > > Second question - what is a better more secure way to handle this. Then > most importantly where do I get information on how to go about doing that? > I know nothing about sessions and would need some good links for that > arena. > > Also I do not know much of anything about Object Oriented Programming. > > Thanks for the feedback. > > Phillip >
It's not as secure as it could be, IMO. What is the 'value' in the cookie you are setting? "loggedin=1" or something like that? If so, people could fairly easily modify that cookie in a text editor. What you should be doing is sending a big random value in the cookie, and matching that value up in a backend DB or file system. In the DB, keep the status of the user associated with that key. This is the basic principle behind 'sessions'. "Then most importantly where do I get information on how to go about doing that?" You come to our PHP training class March 25 - 29. :) Michael Kimsal http://www.tapinternet.com/php PHP Training Courses 734-480-9961 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
