You need to check against a value that was registered as a session
variable. There is no use in checking if some SSL variable is set. Here's
a simplified version of my check_session function that I run at the top of
every page that requires a session to be established.
I also write to the session file on every click. This lets me know howmany
sessions are "actually" active. I have a session deletion script that runs
every minute to check the date of the session file, if it's older than a
defined time it will remove the session file.
The session deletion script is available at http://database.sf.net/
Any other ideas to make a session more secure?
function check_session() {
session_start();
if (session_is_registered(user_id)) {
return TRUE;
} else {
header("Location: login.php");
exit;
}
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]