Pete wrote:
You should only save the userId in the session, everything else should be retrieved from your database using that id.
I normally do as you have suggested here - but why do you suggest that
this method is better?
One reason is for security. You cannot ever rule out the possibility of a user injecting someone else's data into the session to get access to information that he should not have. Of course he can fake the userid too. That's why each time you retrieve the userid from the session you should check if that id has been logged in. I do this (so do many others) by keeping two column table with session id and userid in it.
-- Raditha Dissanayake. ------------------------------------------------------------------------ http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 128 KB | with progress bar.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
