help with users

[Anonymous]

Hi,

I'm making a script that manages the financial issues of a company. There will be a few different users, who will have to stay "logged in" across quite a few pages, as only some users can access special functions, etc. I have thought of either using sessions or cookies. Which is better/easier to use/safer?

 

[Anonymous]

Sessions.

 

[Anonymous]

Ok, but how would it be best to do this? I mean would i need to check users against a DB (for example) aty every page? Because if they login, and if their login is valid, i cant jsut assign a variable (for example validated = 1), because sessions arent that secure right? i mean its easy for the user to edit cookies or post/get variables right? whats the best way to go about this?

 

[Anonymous]

Hi,

As far as i have seen, when a user logs in, you validate that user against a db. Then, according to the type of user, you assign a session variable (for example $_SESSION['user'] = ADMIN).
Then at every page, you check the permissions for the page so that you only allow users with the right permissions.

Cheers. Victor

 

[Alexej Kubarev]

I think this was already resolved via msn... im sorry for not posting the reply here but this topic has already been repeated 20 times and i really dont feel like posting the same reply one more time... if someone is interested thay may simply search the forum... in case someone has some problems -- i will be more then happy to explain and help..

Victor -- the basic concept is correct... howeve i believe that you know that you cant use $_SESSION['user'] = ADMIN for several reasons..

Nr.1 it will generate an error "Call to an undefined function ADMIN"
Nr.2 its no good to save the user type in the session. think about the following scenario:

A user has moderator priviliges and has been missbehaving. That user is logged in and is doing god knows what... Administrator finds out about it and removes the priviliges or even bans the user... but that user is logged in and may still do whatever he wants untill he logs out... therefore its best to save only fingerprints and user id in the session...