0

I'm using SESSIONs to achieve a simple login system.

Should i check every data of the user (id, email, fullname << i have only these), or is it enough to check only id, or only check if the session exists or not?

Thanks! If you have better solution please tell it to me =P

Dávid Szabó
  • 2,235
  • 2
  • 14
  • 26
  • Are you using a login system without a password? (you don't mention a pasword anywhere) And when you say *Should I check every data of the user ...* you mean when sending the login credentials? BTW The user probably won't know its ID – mTorres Jul 30 '14 at 16:06
  • @mTorres Ahh, i have password just forgot to write it there, sorry, i will edit it after this comment. So i'm using SESSIONs which are stored in the server. When a user logs in i save their credentials in a session like $_SESSION["login"] = array('id'= > $id, 'name' => $name, 'password' => $password); I'm just curious if it is enough or not to use just a $_SESSION["loggedin"] = true; Is it a good practice or not. – Dávid Szabó Jul 30 '14 at 16:41
  • You shouldn't store the password in the session (specially if you're using file sessions - which is the PHP default session handling system) as others user in the system would be able to read them. Using $_SESSION['logged'] should be enough. Be aware that there are way to do a [session hijicking](http://stackoverflow.com/questions/6483092/php-session-hijacking), if your application uses sensitive data you should make sure that you try to prevent it! – mTorres Jul 30 '14 at 16:51
  • @mTorres Thanks that question's answers helped me a lot, and your answer too. Make an asnwer and i accept it as answer! – Dávid Szabó Jul 30 '14 at 17:03
  • you're right, my last comment was more an answer, so here you have :-) – mTorres Jul 30 '14 at 17:06

1 Answers1

1

Using $_SESSION['logged'] should be enough. Be aware that there are way to do a session hijicking, if your application uses sensitive data you should make sure that you try to prevent it!

Notice that you shouldn't store the password in the session (specially if you're using file sessions - which is the PHP default session handling system) as others user in the system would be able to read them!

Community
  • 1
  • 1
mTorres
  • 3,590
  • 2
  • 25
  • 36