authentication

Anon

Hello,

Some of my websites require an authentication. The logins and passwords of the members are stored in a MySQL database. The login form checks in the DB if the login/password couple exists. If so, a variable session is created (LOGGED=true). On each secured page, I check if this session var is on true. The memberid is propagated into all pages. The problem is that an authenticated member can change the memberid in the address bar. So, he can use the account of another member.

I think the solution is to store the memberid in a session variable and propagate only the session id (not the memberid).

Is it the right way to do it ? I don't know how sessions are working and I would like to have your advice. If you know a better solution, please tell me.

Many thanks for helping.

Vincent.

yelvington

You're on the right track. Putting user information into session variables is much more secure and adequate for most purposes. If you click on the "Articles" tab at the top of the page you should find some discussion of login and security issues.