-2

I execute a query to see if the user name and password match. After that I store the username in a session variable. The value is the user name after that it redirects to the admin page.

Every time I go to admin page it look for that session variable. If it is not there it will redirect me to the log in page.

Is this a safe approach to use or not?

Zach Saucier
  • 24,871
  • 12
  • 85
  • 147
yasir
  • 47
  • 1
  • 2
  • 8
    i would really be thank full if i got a simple answer to put me on right bath better than just voting down my post – yasir Nov 02 '14 at 17:52
  • 1
    depends on, how you use them and talking about completely safe think ,nothing is completely safe/secure ... – NullPoiиteя Nov 02 '14 at 17:54
  • $_session['user'] = "username" that what iam checking for if its there it keep me in admin page if its not it redirect me to login can someone steal this var and use it to access the admin panel – yasir Nov 02 '14 at 18:00

1 Answers1

0

The general thinking is appropriate (imho, for a beginner).

But it is more secure to use a boolean, like loggedin = yes/no. This hides the username and in fact the information in the session variables can be stolen.

BTW: You can not achieve complete security with the session only, you need to implement and encapsulate in the right way to gain more security (nothing is complete secure). More knowledge comes with more practice. Keep it up.

ascorbin
  • 111
  • 4
  • thanks very much for your answer that what i needed to hear i will search more to level p the security – yasir Nov 02 '14 at 18:39