login module

thoand

I am making a login module and need som input, if I have overseen anything.

A form (action=post) with loginname and username field, submit.
On the next page, I start a session connects to the database and compare the parameters with the data.

if data num_rows() > 0
I register the db table id, and redirects to the welcome page.

else !num_rows() > 0, the user is redirected to the forms.
redirecting = header("location: ");

The welcome page and all other pages I have an include on the top of every page.
This code is like:

session_start();
if (!$_SESSION[sess_security_id] > 0) {
echo "NO ACCESS!. <a href='./index.php'>Login page</a>";
exit;
}

Is there anything I have overseen here?
I would like this to be as secure as possible.

any comments etc.
please notify me.

thanks in advance,
Thomas Andersen

GBahle

this looks good.

Two things though: It may be neccessary to check if your session variable is set (use isset()) before you check its value.

Second: From your db structure it's obvious that there'll be multiple user types. Be certain not only to check the session_security_id, but also the user type on EVERY page. Else someone could conceivably bypass the "login"-page to e.g. the admin pages and do whatever he wants to.