Security question

Rodders

Simple question.

I am using sessions on my site for my login system. Each page that is secured will need to check whether the user has logged in or not.

How best to do this:
1) Use a SESSION variable called $loggedin which is set to Y or true.

2) Use SESSION variables to store username/password which will be checked against the database on every page.

I'm guessing option 1) is as secure as option 2) without unnecessary database hits.

Any suggestions.

xgoat

I dont think it really matters which you use - users cant access the session variables, unless you provide them with some means to do so in your scripts - so with the option where you store the user/password, you just have to make sure that there are no holes in ur scripts.

Robert

planetsim

As sessions work on the Server it is possible for hijacking.. Hackers could access personal data like passwords as they will most likely not be encrypted..

I suggest just looking after there username and thats it really. Other than that.. Make sure they work perfectly and test them heaps. Loggin in logout. With different usernames.

Something happened to me.. When i did that. The session had the same one.. So if i logged in as myname it would display myname then if i logged out and logged in as a different name i got myname still... So be careful the way they are set out.