I'm missing some good explanation about how to use sessions and cookies for security.
It seems possible to create sessions in different ways. I already received the information (from VGR) that it is not good to use the HTTP Basic Authentication. So I already adapted my login-page that starts with a form with 2 fields for login_id and password.
At the top of this page I have put : session_start(). When I check in a subsequent page (where I have also put the session-start()-statement) the existence of the session (with <?echo $_SESSION['thenameIgave']; ?> )=> the name seems to be passed to the next page.
But how do I control in each subsequent page that it is still the same session? When I use the statement : if (session is registered('thenameIgave')) => I get an error message...
Other, not-registered persons may not have the possibility to enter those protected pages. Suppose that he knows the name of the restricted PHP-files and puts them directly in the browser => until now this person still has access to those pages? How can I avoid this?
Even when a person has passed a succesful login -> I want to verify the time he is not active. After a period of 30 minutes inactivity, I want the session the be destroyed. I think it has to do something with cookies...
Can anyone give me some good examples or reading material about these subjects?
Thanks for any help,