Sessions &amp; Security

Sessions & Security

rivka

Okay, after a long while, I've finally managed to figure out sessions enough to make them work. My question now is this:

I have an area where people have to login with a username and a password. When logging in, the script compares their md5(password) to the password in the database (already run through md5). If they match, then the following sessions are registered:

loggedin
userid (their unique autoincremented number in the database)
username

Now, any functions in the user area first check to make sure that they are logged in (using if(isset($_SESSION['loggedin']))) and anything that they do is based off of their userid (i.e. update their member information where userid is the same as the global session userid variable and so on).

So. Does this seem fairly secure? Are there any major holes that someone could take advantage of? Any suggestions would be appreciated.

planetsim

instead of isset for sessions try session_is_registered()

You may wanna read up on its faults and when to use it. isset is good. but it wont always work, and eventually may make it insecure