Creating forum, use loggedin=true, or dblcheck un,pw

ps2gamer

I am trying to gather ideas on creating a forum but I have stumbled into a few problems. Lets say if someone logs in, it creates $_SESSION['loggedin'] = true.

And forevery page that needs the user to be logged in it checks for


if($_SESSION['loggedin'] == true) {
// show page
} else {
echo "Login dummy";
exit;
}

Is it safe going about it like that? Or should i have it check for the user id and password session.

if(isset($_SESSION['uid']) && isset('$_SESSION['pword'])) {
// check to make sure the userid in session matches exists in DB
   if ($exists) {
       // Check to make sure that the       userid matches the session password
      if ($_SESSION['pword'] == $dbpw) {
                  // LOGGED IN!!!!!
      } else {
            // not logged in
       }
    } else {
    // not logged in
    }
} else {
// NO session found (not logged in)
}

Which way is more secure and efficent??
In other words, which one should i use?

ShawnK

It's fairly safe to just use session, what you should do is add a session var called usrlevel or something like that so normal users cannot get into admin type stuff. You really don't need to re-check the password, because in order to have that var true they had to login already...but if it's a like mission critical type script you should get into checking session id's.

just use:

if(!isset($_SESSION['username'])){

echo "Your not logged in you foo!";
header("Location: whateverurloginpage.php");

} elseif(isset($_SESSION['username']) && $_SESSION['level'] > "0"){

echo "your logged in!";

// all your top secret info.....

} else { 

echo "There has been a login erroR!";
header("Location: whateverurloginpage.php");

}

That would work if you have a userlevel system set up..."0" being a non-logged in person, 1 being normal logged in user, and "3" being admin.

It'll just check to make sure your AT LEAST a logged in user.

Now, if people can still view parts of the page without loggin in then instead of:

echo "your logged in!";

// all your top secret info.....

} else {

do:

$loggedin = "hellya";

} else {

and then have all the compnents test to see if logged in == hellya.

[edit]doing the password in session is naughty! lol it's not very safe to store it in the session unless you encrypt it...but thats kinda too much code!

ps2gamer

so if someone is logged in, with a user level of 1, there is absolutely no way of changing his level? (aka hacking it)

ShawnK

The user cannot change this unless you have a a page on your site that will upgrade his level to something higher.

unless....he/she has the same host as you!