Why do you need the secret variable? If your server is set up correctly, the user can't create any session variables, all they can do is create a session ID. So you could just check for a user-id and you'd be good.
---John Holmes... ----- Original Message ----- From: "Jackson Miller" <[EMAIL PROTECTED]> To: "'Bryan McLemore'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, September 23, 2002 4:06 PM Subject: RE: [PHP-DB] advise needed for 'authorized only' site > > you could make them log in once per session and just have > > every page check and see if they already have logged in and > > if they have not then trigger the login mechanism. > > > > This is what I do. I have a file/function called verify that I call at > the top of every page that I want secure (and any page that might just > perform an action and then redirect to a page that displays content). > > Here is how my authentication system works: > > 1) On any page a session is started if one doesn't already exist. > > 2) When they submit they submit login information it is checked against > the database. > > 3) If the login is approved, I session_register() the user_id field, the > user_level (if applicable), and a variable called valid. > > 4) I set valid = to the md5 hash of user_id.user_level.secret_variable > (secret variable is a variable set in the code so only the server knows > it. > > 5) on every page the verify function checks to make sure that the > variable $valid is equal to the md5 of > user_id.user_level.secret_variable (This works because the session > knows the user_id, and user_level, and the server knows the secret > variable). > > > Hope this helps. > > -Jackson > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
