Forum Moderators: coopster
if($_SESSION['username']=="user" && $_SESSION['password']=="pwd")
{
//show page
}
else
{
//send to login page
}
and on login page , you action to a script that does only this
sets the user input for username as session username
and password as password in session and redirects to index.php which checks for username and password
ofcourse this code is for just one username and password combination only.
Do you think someone can break this by applying some milacious input like SQL injection for SQL logins?
An added comment about what you posted. I would suggest NEVER placing a password in a session. Again, studying up on session hijacking will tell you why.
Regards,
IamStang
well, using sql injection would be something to worry about on the login form itself.
session hijacking is something different. That would be during your authentication function/code that you would use on every page.
This thread talks about both
PHP User Authentication and Passwords [webmasterworld.com]
basics of session hijacking
once a user logs in they have a session cookie, though the actual session data is stored on the server. As long as this session is active, if some other person gets the session id they could use it to gain access. Now since most attackers don't know how to login then they have to either grab a cookie for an active session or somehow guess (brute force) a session id that is active.
hence the need to be able to identify which session belongs to whom.
and as IamStang mentioned, don't put passwords into your session, passwords should be user supplied for login then disregarded unless you need them to re enter it.
