[macintosh]

After user has given username and password , i use following way to check login and set session...

PHP Code:

<?php 

session_start(); 



$result = mysql_query("SELECT * from login WHERE name='" . $_POST['name'] . "' AND password='" . $_POST['password'] . "'"); 



$rows=mysql_mun_rows($result);



if ($rows > 0) 

{ 



session_register('name');

$_SESSION['name'] = $_POST['name'];



header("Location: success.php");

exit; 

}  else { 



//unsuccessful login 

header("Location: login.php");

exit; 



} 

?>

My question is that, when do i need to put password also in session???
How do i check if the session is valid or not ? eg. for example there is some name value in session, do i have to check from db it there is any user with this name + password? or there is some other way?
thank you very much for your time.

[landing]

You shouldn't need to store the password in the session really (unless of course you want to be able to forcefully log a user out). The session is valid because you have checked the users log in details before assigning the particular 'name' session variable. As long as 'name' is set, the user has logged in. And it's only valid for as long as the user has their browser open.

There is a security concern known as session hijacking (Google it). However, you are far more at risk for performing database queries on unsanitised form input. See the link in my signature.