Re: Session Security Question

The session data is stored on the server, and the session id is stored on
the server and the client-computer. So you can't mess with the
sessions-vars unless you have control on the server.


"Xizor" <nope@nope.com> wrote in message
news:YeXXa.74343$YN5.55755@sccrnsc01...
> I have a PHP page that checks to see if the user is logged in every time
it
> is loaded. It does this by each time checking two session variables (one
for
> the username and one for the password) against a MySQL database. If it
> checks out OK, then the PHP does stuff, if it doesn't then it doesn't do
> stuff.
>
> To me, checking against the database each time the page is loaded seems
> unfriendly to the CPU. It seems that it would make more sense to set a
third
> session variable the first time the user logs in to true and then check to
> see if that variable is true. I'm new to sessions, and to me, I can't
quite
> tell if this is safe. Then again, either way it doesn't seem safe. Anywho,
> is it fine to do it the second way, or better the first way?
>
> Thank you.
>
>