Authentication - ok like this?

Bjom

Is my authentication secure like this?

Another question:
I found a lot of "tutorials" where username or even password and a bunch of other info gets retrieved from a db and then is stored in $_SESSION.

I find this a) unnecessary since often this data is not even used if it needs to be used it can be retrieved from the db right when it is actually used and b) potentially unsafe, correct?

auto_prepended authentiction code:

<?php
//file: authenticode.php
session_start();
if (!isset($_SESSION['session_id'])) { 
	if (isset($_POST['user']) && $_POST['pwd']) {
		if (auth($_POST['user'],$_POST['pwd'])) { 
			$_SESSION['session_id'] = session_id();
		}
	} else {
		include('login.php');
		exit;
	}
}
function auth($user, $pwd)
{
	$dbServer = '';
	$dbUser = '';
	$dbPwd = '';
	$dbDb = '';
	$conn = new mysqli($dbServer, $dbUser, $dbPwd, $dbDb);
	$stmt = $conn->prepare('SELECT UserName FROM tUser WHERE UserName = ? AND UserPwd = ?');
	$stmt->bind_param('ss', $user, $pwd);
	$stmt->execute();
	$stmt->bind_result($userName);
	if ($stmt->fetch()) {
		return true;
	} else {
		return false;
	}	
}
?>

A login page:

<?php
//file: login.php
echo '<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">

<head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
	<meta name="Language" content="german, de, deutsch" />
	<meta http-equiv="Content-Language" content="de" />
	<title>Login</title>

</head>
<body>
<div style="width: 30%; padding: 1em; background-color: lightgray">';

echo '<form action="' . $_SERVER['SCRIPT_NAME'] . '" method="post">';
echo '<fieldset style="padding: 1em">
			<label for="user">Username</label>
			<input type="text" name="user" id="user"/>
			<br />
			<br />
			<label for="pwd">Password</label>
			<input type="text" name="pwd" id="pwd"/>
			<br />
			<br />
			<input type="submit" name="submit" value="Submit" />
		</fieldset>
	</form>
</div>
</body>
</html>';
?>

a meaningless testpage:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">

<head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
	<meta name="Language" content="german, de, deutsch" />
	<meta http-equiv="Content-Language" content="de" />
	<title>MyUserPage</title>

</head>
<body>
<div style="width: 30%; padding: 1em; background-color: lightgray">
	<a href="logout.php">logout</a>
	<br />
	<p>user-specific and protected content goes here</p>
</div>
</body>
</html>

a logout page:

<?php
session_start();
unset($_SESSION['session_id']);

echo '<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Logout</title>
</head>
<body>

<div style="width: 30%; padding: 1em; background-color: lightgray">
	<p style="font-align: right">Thanks for visting</p>
</div>
</body>
</html>';
?>

NogDog

I'm too lazy right now to look through your code, but I do agree that there should be no reason to need to store the password anywhere except the database. All you need in the session is something that indicates a successful login and something to indicate the user's identity; and this could be done with one session value by assuming that the presence of a non-empty user ID session variable also implies a successful login.

If there is other non-sensitive user data that you use on all/most pages, you could certainly store that in session variables, too (so that you don't have to re-query it from the DB on each page).