Joe Harman <mailto:cjharman@xxxxxxxxx> on Tuesday, January 25, 2005 4:23 PM said: > IN MY OPINION... forget the cookies... only use php sessions... but > like I said IMO.... you can never rely on the end user having them > cookies enabled... same with things like javascript... Well, I don't think you should suggest to "forget the cookies" since cookies are necessary to keep data between sessions. Simple example: To remember the user's username for the simple purpose of pre-filling the username field of a form. But if functionality like that is not needed then you're right, cookies can be ignored. > 1. get the user's access info... ie username & password > > 2. look for the user in the database that stores the access infro > > 3. if access is granted, I usually set 2 session variables > a. $_SESSION['auth'] = TRUE // They are authorized > b. $_SESSION['user_id'] = {who} // Who is it > a. $_SESSION['user_level'] = {level} // What level access do > they have (optional) Item (a) is redundant. Just use (b) and (a)#2 (hehe.. typo) aka (c). If the username is present the user is obviously logged in. You don't need another little buddy yelling, "Yep. He's logged in." > that should get you started... maybe the second step would be to make > this stuff into functions... Functions? Absolutely. > ... also, IMO.. it's a good idea to make > a logout script that will distroy that user's active session... Sure. But sessions timeout after 20 minutes anyway (by default). And do people even click the logout button/link? I just let the session timeout. What you might want to do is something like hotmail where the user can say "I'm on a public computer" and then lower the timeout to something like 5 minutes. This way the session will timeout much quicker. And unless you're an international spy, or a high school girl, you're probably not at much risk to having someone jump in on your session while you reapply your poisonous lip gloss, or regular lip gloss as the case may be. Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php