I'm a newbie and I'm trying to build a PHP Session login system.
But I have a few questions, what should I store in the session?
I have downloaded some php login scripts to experiment a little and it seems like they store the username and password in the session.
Why does the password need to be stored? Can I just store the userid in session?
And lastly, authenticating:
Do I simply check if isset session username and id show content else echo please login?
Sorry for my newbie questions!
I always save the userid and IP address in my session. This isn't rock solid but that way you could have an extra check if the session is connected to that IP. If I save a password in the session I just save the hash.
Well the password doesnt need to be stored in the session id. Its a matter of personal preference. Or perhaps the login scripts you are using are trying to optimze their queries. As in maybe they may ask the user to reauthenticate themselves and rather than making another query to the database it can just check using php only. Although this might not be the most secure method.
And a simple isset method should work nicely enough.
the vital thing you need to store in the session is the id of the user who had logged in as you can work around through out the website with the logged user and by this you can check the user is logged or not e.g if the $_SESSION['user_id'] is set the user with the value in the session is logged in and on logout destroy the session user_id , and other than the user_id you can store name and age etc. which you need frequently through out the website , you can store that stuff too in the session, Hope you will find it easy,
