Re-authenticate and make them login again when they do something particularly dangerous/serious/big-time. Nothing you've listed matches the above, except maybe changing their current password to a new one. I suppose you could do it just to change any profile setting, but some goofball out there wants a random avatar hack script, and then they'll just be leaking their login credentials too easily, so that's a net loss. On Sun, February 25, 2007 6:57 pm, Tosca wrote: > It's a website where you can reply to news, blogs and other messages > and > with a forum. > > On 2/26/07, Richard Lynch <ceo@xxxxxxxxx> wrote: >> >> On Sun, February 25, 2007 6:45 pm, Tosca wrote: >> > Quote from Fahad Pervaiz <fahad.pervaiz@xxxxxxxxx>: >> > "To ensure best security use database as well. Store IP, Session >> ID, >> > username, login time. After every few minutes you can re >> > authenticate the >> > user against these parameters." >> > >> > I have a login system with sessions and a database where I store >> > session ID, >> > username and what kind of user they are (like admin, moderator of >> > regular >> > member). This I check every time a page is refreshed. Is this >> secure >> > enough? >> >> Are you running a bank? >> Or is it just a community forum? >> >> Without context, nobody on earth can answer this. >> >> Start reading here: >> http://phpsec.org >> to have a better handle on PHP security. >> >> -- >> Some people have a "gift" link here. >> Know what I want? >> I want you to buy a CD from some starving artist. >> http://cdbaby.com/browse/from/lynch >> Yeah, I get a buck. So? >> >> > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
