Quick question...
I have a site where user's log in, they put their user name and password in
a form and if they are verified against the database, session variables are
created,
$_SESSION['user'];
$_SESSION['pass'];
and they get sent to the next page by way of,
header("Location: https://www.mysite.com/login/";); // not a real site
On that page, and all other pages for which I want to control access, I then
put a little access control script (actually, an include file) at the top of
each page that checks to see that $_SESSION['user'] is present. If
$_SESSION['user'] is *not* present, I send them back to the login page. If
$_SESSION['user'] *is* present, they're granted access to the page.
Here's the question:
Is it simply enough to just check that $_SESSION['user'] is present, and
therefore, by that alone assume the user has logged in and should be granted
access? Or, should I be verifying the $_SESSION['user'] and
$_SESSION['pass'] against the database on every page?
The reason I ask is that an article (tutorial) on access control runs a
script that hits the database every page. But, to me, that seems like a
waste because simply having the $_SESSION['user'] present means they've
already logged in. Am I missing something here?
Thanks, as always!
Jeff
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
