donkeychoker wrote:
At present my login form sessions the username and password and all the pages that i want securing just check that both the username and password sessions are set (isset), if not then the page displays the login form.
Well, that's OK, provided your authentication at the point of logon is secure, and you don't mind them continuing to be authenticated indefinitely afterwards.
Is it better to check the session data against the info in the database on every page instead? (obviously using the include page)
It depends. If you're storing stuff in the session which might change, it's worth checking it on every page.
The classic example is trying to disable someone's account who's already logged on - this should be feasible.
Personally, I don't use sessions (much) for authentication, instead using a random token which is assigned per account (and stored in a cookie).
Upon any change of authentication or authorisation for that account, I will change this random token (to a new random value, or none). This forces their existing sessions to be logged off and require logging on again - which of course may be impossible if they don't know the new details.
Looking up their details on every page is a good idea if you are concerned that they may change while the user is logged on - and only normally requires one query.
Mark
