Hello For the authentication you can do a form, it will pass the login informations to some class who do the sql validation and put in session the informations of user, but not the password, i prefer put in session because when he close the browser the session will down for 2 , On the first point, session variables are not something people can get to from the client side unless you send them to them. What you see on the client side is a session identifier that allows the server to retrieve the actual session values. for 3 You dont need encode all the session for the security, if you want more security for some variables, encode just these for 4 One of the intentions of the session is store informations for the easy aplication access for 5 I think its not a good idea, the ip can change in the middle of the aplication Yuri Yarlei. Programmer PHP, CSS, Java, PostregreSQL; Today PHP, tomorrow Java, after the world. Kyou wa PHP, ashita wa Java, sono ato sekai desu. > Date: Wed, 22 Jul 2009 10:19:44 -0700 > From: darrenwilly@xxxxxxxxx > To: php-general@xxxxxxxxxxxxx > Subject: Session Confusion. > > Dear Forums, > > Kindly advice me professionally because, am getting more confused on what to do about my application that needed to be online very soon. > > The fear is about Session and Authentication. > > Here are my questions. > 1. Must a Page Authentication be done by Session or Cookie. If not what are the other options. > 2. How secured is Session without encoding. > 3. Must you encode Sessions at all time and if not what type of Session. > 4. Is it dangerous to pass one Session on several Page. > 5. What about locking a Session to an IP ......(tips needed) > 5. Session Security tips please. > > Thank You All. > > Williams. > > > > _________________________________________________________________ Descubra todas as novidades do novo Internet Explorer 8 http://brasil.microsoft.com.br/IE8/mergulhe/?utm_source=MSN%3BHotmail&utm_medium=Tagline&utm_campaign=IE8
