Forum Moderators: coopster
Thanks in advance.
I always create a session. In this session I make a note of their login, date logged in, and their IP address.
Whenever they go to a new page or do anything, I check to be sure the first 3 blocks of their IP address match that which was put in the session when they logged in. The reason I don't go for an exact match is because some people whose ISP's have dynamic IP allocation will change the last block every time they go to a new page.
There are various other bits of information you can gather using $_SERVER[] variables that you can then check against them later on, in order to prevent session hijacking.
Thanks. :)
User enters their username and password, and you check it against that you have on file. If they both match:
-----
<?php
session_start();
$_SESSION['login']="yes";
$_SESSION['user_id']= (enter the unique user id which matches the username/pw combo they entered and you validated);
?>
-----
Then, on every page they would go to while logged in (your registered user only parts of the site) you would have:
-----
<?php
session_start();
if(@$_SESSION['login']!= "yes")
{
exit();
}
?>
Then when you want to update or insert something that they are creating/uploading/etc. you would get their user_id from the @$_SESSION['user_id'] variable, so you can later determine who that thing belongs to.
-----------
This is very basic, and would probably work if you're not doing anything sensitive (credit card #'s, etc). I generally like to insert their IP address into the session, then check against it to be sure they haven't been hijacked.
BTW, I tested it on a separate modules and it worked. But when I use the checking on the the opensource software that I am using, it doesn't seem to use session. I saw something like "setcookie" command and cannot find any module that uses $_session command.
This is hopeless.
From what I understand, sessions will work even if a user has cookies turned of. This is why I went that route rather than mess with cookies.
The difference between a cookie and a session is that a cookie is stored on the user's computer, while a session is all maintained on the server. Thus, if a user clears his cookies or has them off, the site won't work properly for them.
Now that I cannot find any solution to find out if a user is login or not, it seems I have to scrap this module that I'm going to add because it is not safe even if I ask for the user's Key ID.
Noah's Classified code is very hard to understand.
