knuckle05
asked on
PHP5 - Best way to authenticate users on a small scale site.
Hi All,
I'm building a small site using PHP5, MySQL, and Apache.
What I'm wondering is this:
Say for example a user logs in and I set my various session variables to store their user name and encrypted password.
I then redirect them to their account page. This page and its arguments assume this form:
my-account.php5?id=123
where 'id' = the user's account ID.
What is the best way to prevent the logged in user from manually changing the URL to "id=124", "id=125", etc. and then gaining access to another user's account?
My solution would be to include a file at the top of EVERY page that needs user authentication and check the session against the id URL argument, either by including a list of valid ID's in another session variable, or by opening up the database and doing a check.
Theoretically this would work, but is there a "better" or more elegant way to achieve this?
Thanks.
I'm building a small site using PHP5, MySQL, and Apache.
What I'm wondering is this:
Say for example a user logs in and I set my various session variables to store their user name and encrypted password.
I then redirect them to their account page. This page and its arguments assume this form:
my-account.php5?id=123
where 'id' = the user's account ID.
What is the best way to prevent the logged in user from manually changing the URL to "id=124", "id=125", etc. and then gaining access to another user's account?
My solution would be to include a file at the top of EVERY page that needs user authentication and check the session against the id URL argument, either by including a list of valid ID's in another session variable, or by opening up the database and doing a check.
Theoretically this would work, but is there a "better" or more elegant way to achieve this?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to both of you.
I went with TeRReF's solution.
I went with TeRReF's solution.
http://www.php.net/manual/en/ref.session.php
http://www.zend.com/zend/tut/authentication.php?article=authentication&kind=t&id=771&open=1&anc=0&view=1