script security

aharrover

Hi all:

I've got a quick question. I'm writing an application that needs to be pretty secure. I'm planning on doing all of my authentication in php against a mysql server that will be hosted seperately. In order to control access to my php scripts, I get the user to login and then set a $_SESSION["s_id"] variable that holds their userid from the database. This variable is checked in each script to make sure that it's set and valid. Is this a good way?

planetsim

Yes sessions can be enough, depending on how secure. Personally its probably better than using Cookies, however Sessions are vunerable to session hi-jacking. Also try to avoid having the session id hanging off a URL its one way session hi-jacking can occur. You may want to search the board on Sessions security also and compare with cookies there are quite a few threads on the each topics as well as the comparisons.