[thelist] php login security (was: Call html page with php)
Ben Phillips
ben at inchima.com
Wed Feb 20 06:16:01 CST 2002
> Hold on a minute: do you mean that the username and password are getting
> bandied about somehow (GET/POST) to each page following initial
> authorization? And *then* processed on each page? The overhead wouldn't be
> too much I guess (although it's inelegant), but why keep passing the
> username and pass back and forth? (Assuming you were serious
> about not using
> session variables this would be a necessary consequence.)
no, a session id is passed between pages. the session id is created when a
user logs in. this is then compared to that stored in the database. if it is
valid, and hasn't timed out then the login is okay.
when i said session variables weren't available, i meant php 4
$HTTP_SESSION_VARS. sorry for confusion.
> What are the advantages of reauthenticating a user on each page?
see above comment. badders.com has a login box on every page. the user can
use this to log in. the session code included on every page checks to see if
a session id is passed, if not then it checks to see if a login attempt has
been made, if not then it displays the login box (roughly).
> (Sorry it's
> well past midnight here, so I am likely a bit slow off the mark.)
it's midday here, i have the advantage... ;o)
benji
inchima.com
More information about the thelist
mailing list