Session variables

Anon

Hi all,

I had some problems with user management etc..
I can´t change the PHP_AUTH_PW so when I allow a user to change his or her password they are then rejected by the system.. To solve this I want to use sessions... Every thing seems to be working but I have one problem .. How can I change the session variable so it is change at the same time the user changes the password so the database and the session var are the same??

Thanks in advance

[deleted]

Why would you need to change anything about the session when they change their password?

Anon

Vincent,

Since every protected page will call the script given in the question.. the user won´t get access if they change the password..

Here is the deal.. the session will receive username x with password x and use this the whole session.. now the user changes password x to y in the database.. when going to the next page the system will check password x from the session with password y in the database and refuse the user since the passwords don´t match.

My goal is to change the session password to y so the user doesn´t even notice the change..

Kind regards,

Peanuts

[deleted]

You are making a classic mistake.

You shouldn't use the username and password in the session data.
This is a security risk and serves no purpose.
All you need is a flag in the session-data that says 'loggedin'
The only way to get that flag set in the session is to let the user log in using his username and password. That is the only time the password is used.

When the user logs off, you set the flag to 'notlogged in'.

Now when a user changes the password, nothing need to change in the session at all.

Anon

I still have a problem with this.. how can I set a session var without giving the user a possibility to set it directly.. for instance
If I want to use a login var I don't want the user to have the possibility to access the page just by calling it with ?logon=ok behind the page name..

Please help....

[deleted]

Session vars overrule POST and GET vars, so you can't just say '?login=1'