I'm building a small site using PHP5, MySQL, and Apache.
What I'm wondering is this:
Say for example a user logs in and I set my various session variables to store their user name and encrypted password.
I then redirect them to their account page. This page and its arguments assume this form:
where 'id' = the user's account ID.
What is the best way to prevent the logged in user from manually changing the URL to "id=124", "id=125", etc. and then gaining access to another user's account?
My solution would be to include a file at the top of EVERY page that needs user authentication and check the session against the id URL argument, either by including a list of valid ID's in another session variable, or by opening up the database and doing a check.
Theoretically this would work, but is there a "better" or more elegant way to achieve this?