--- Tony Di Croce <dicroce@xxxxxxxxx> wrote: > I have some general question about sessions... Actually, about > PHP's built in session support. > > Do I need to call session_start() in every script that needs > access to $_SESSION[]? Yes. > Would it cause any problems if I do? What sort of problems? > If not, am I supposed to just call it once on the login page > for my website and then thats it? No, see above answer. Call it in every script that needs to use $_SESSION. > I think I would like to store a user id in my $_SESSION[] > global. If this variable is set, I will consider this session > "logged in". Is their a secure way to do this? Sessions are pretty secure by their very nature, since session data is stored on the server and not subject to exposure like most other data. There are still a few security concerns, and I address a few of them in this article: http://shiflett.org/articles/the-truth-about-sessions > When session_start() is called, this function sets a cookie > in this browser with a unique value that is bound to a set > of globals (IE, the contents of $_SESSION[]). When subsequent > HTTP requests have this cookie attached, the correct set of > $_SESSION[] variables is loaded... Everything right? That's close enough. It misses a lot of details, but there's nothing terribly wrong with your description. You can fill in the gaps and correct minor details as you learn more. The article I mentioned gives a brief introduction to the fundamentals, so it might clarify some things for you. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php