Session user membership problem

Shinmeiryu

I have sessions working and people can log in with their user and pass, but when it comes to a user wanting to edit his or her information on the url address bar if they were to change the number of the userid in "http://www.blah.com/members/userid=1 (or whatever)" they can access another members' edit information and hack into their account.

I was wondering what other session methods or code could I use to keep it where the session only allows the user to access only his or her information and no one elses?

drag0n

what I would do is when they login, give them a session with their id and their email and logged in as 1(true) then when they have that change part, instead of sending the id, just get it from the session if they have one and also check the email address(if you have that field) againest the database opne and if all matches, then let them change the stuff, another way would be to have a session for the password in md5() or password() form straight from the db instead of the email addy session, and check that againest the db, I would say that is the best, most secure way.