Hi Jason, Yes this is going to be a public facing application with 3 level heirarchy, and maybe around 100 tiny companies(3-4 employees) using it. App is going to be on a Hosted Server. DB session mgmt would be a bit slower, is it? I have thought about cross site forgery and session hijacking, but the more I think about it, I realize the lesser I know about it all :( So thought this would be the best place to start. Thanks, Vinay On Thu, Apr 22, 2010 at 11:19 AM, Jason Gerfen <jason.gerfen@xxxxxxxxxxxx>wrote: > How secure would you want it? Is this is a public facing web application? > > Are you in a shared hosting environment vs. a dedicated hosting > environment? Do you require alternative session management such as database > or mcache vs. flat file session support? > > Have you thought about cross site request forgery's? session hijacking etc? > > There are tons of things to take into consideration but setting a flag per > user session is indeed one method of ensuring a user has authenticated. > > > Vinay Kannan wrote: > >> Hey Guys, >> >> I need some help on an effficient session management, right now what I do >> is >> check if the user has loggedin using his username, and create a >> SESSION['logged']=1, setting a login flag actually, I am not sure if this >> is >> the best way ? >> >> What do you guys use for sessions, and which is the best possible way ? >> >> Thanks, >> Vinay >> >> >> > > > -- > Jas > >
