Webdigity Webmaster Forums - Question regarding your code

nitrixud

Tue 6 February 2007, 04:40 pm GMT +0100

Hi Olaf,
i have a question regarding the code and in particular the access_page method

Is it an obligation to connect to the database each time a protected page is viewed ?

i guess i'm missing something here, but i thought checking some session variable was enough to secure pages (once logged-in of course) ?

Thanks for your answer and your great script

Nitrixud

Nikolas

Tue 6 February 2007, 04:41 pm GMT +0100

Session can be - in some cases - hijacked.

It depends on the security level that you require if you need a connection to the database or a session check on every pageview.

nitrixud

Tue 6 February 2007, 04:58 pm GMT +0100

Thanks Nikolas, for your quick answer

@olaf, could it be a future feature ? if one want a simpler check just using session ?

or is it already there ?
using the $_SESSION['logged_in'] variable and just checking it ?

session_start();
if (!$_SESSION['logged_in'])
{
header ("Location: login.php");
}

olaf

Tue 6 February 2007, 06:14 pm GMT +0100

Quote from: nitrixud on Feb 06, 2007, 04:58:16 pm

Thanks Nikolas, for your quick answer

@olaf, could it be a future feature ? if one want a simpler check just using session ?

or is it already there ?
using the $_SESSION['logged_in'] variable and just checking it ?

session_start();
if (!$_SESSION['logged_in'])
{
header ("Location: login.php");
}

sure you can use that session or just the other session's, but as Nick already mentioned session's are not really safe. Thats why I added an alternative session handler (this suggestion comes from official PHP people).