PHP Sessions Question - HTML Forums

blackpepper · 10-30-2009, 02:32 PM

For building a login, I obviously want the person to stay logged in after they have done so.

At the logging in script, a session variable is set

PHP Code:


			
    $_SESSION['SESS_MEMBER_ID'] = $member['username'];

then on my authorization page(which is included into various subpages which require a user to be logged in) I check to see if that variable is set

PHP Code:


			
<?php

    //Start session

    session_start();

    

    //Check whether the session variable SESS_MEMBER_ID is present or not

    if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {

        header("location: //Members");

        exit();

    }





?>

Is doing something like this completely safe? Can this session variable be generated by someother way, and then used to falsely authorize the user? I would appreciate an explanation

If I need to add a level of security, a point in the right direction would be great

Cheers,
BP

scoutt · 10-31-2009, 06:37 PM

well that is what most people do. I fyou r cookies are safe then it should be okay to do it that way.

blackpepper · 11-01-2009, 01:18 PM

thank you scoutt. I have been reading documentation about php sessions it's just somewhat confusing stuff for me.

So my final question/thought:
Say I had a session started with a variable of SESS_MEMBER_ID , however htmlforums.com had also used the same variable name to store login auth. Why is it that storing the session on ONE site does not sign you in on another site. Are the session variables unique per domain they are started at? And is that something which cannot be manipulated, thus generating a false session to log yourself in would be impossible?

If it sounds like I am a bit confused please let me know, I really would like an understanding of all of this stuff

Cheers,
BP

scoutt · 11-01-2009, 08:15 PM

yes, sessions are unique to its own server.