Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Using $ SESSION to store your login is a bad idea?



10:03 am on Aug 29, 2010 (gmt 0)

5+ Year Member

On yahoo questions, I was getting help with my php login system, and a prominent answerer (lol) on yahoo questions had this to say:

"Using $_SESSION to store your login is a bad idea!
When the user logs-in, you compare his entry with values in your DB. There, you also have his email.
The general idea is that your user's table contains user, pwd, email AND "sess", a field of 50 chars that will be filled, AT SIGN-IN, with the session number. Then, if you want any detail of the user, use $_SESSION and check it against the DB, field "sess"."

If I'm doing it wrong, I'd like to know how to fix my login system. I didn't understand exactly what he said though. I'm not sure how to fix it. Here is my code, tell me what you think please:


$dbhost = "localhost";
$dbname = ""; // I erased these 3 on purpose
$dbuser = "";
$dbpass = "";

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

$username = $_POST['username'];
$password = $_POST['password'];

$query = "select * from members where username='$username' and password='$password'";

$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
echo '<br><div align="center"><font size="4" color="white">Invalid username or password. Please try again.</font></div><br>';
include "sign_in.php";

} else {
$_SESSION['username'] = "$username";
include "my_account.php";



12:36 pm on Aug 29, 2010 (gmt 0)

5+ Year Member

I think you need to add some basic security to your php, like input filtering and mysql escaping. that is more important then the security of your $_SESSION vars at this moment.

please read the OWASP top10 of security risks [owasp.org ].


1:45 pm on Aug 29, 2010 (gmt 0)

5+ Year Member

Thanks for bringing security to my attention. I really had no idea. I fixed the problems you mentioned. I just had to add a code into a few places to stop injections.


12:36 pm on Aug 30, 2010 (gmt 0)

5+ Year Member

Also bring the session_start() to

} else {
$_SESSION['username'] = "$username";
include "my_account.php";

It doesn't make a big difference but just start_session only when it is absolutely required.

Featured Threads

Hot Threads This Week

Hot Threads This Month