[End User]

Quote:

Originally Posted by ruteckycs

As for security, I guess you have to ask yourself how likely it is someone will be attacking / routing packets for your customers computers

That's not the question you should be asking. What you should be asking is, "Do I want to code this securely or not?"

Cookies are pretty easy to exploit, and although you may not care about the data or think it's worth hacking, someone else might. Oftentimes hackers go for the "low-hanging fruit" (the easy stuff), so why make it any easier for them?

I often hear the argument that "this data isn't important" or "this data isn't worth anything". In the first instance, it may not be important to you, but chances are it's important to somebody.

In the second instance, it's not necessarily the value of the data itself, but the access that cracking the data can bring, like gaining access to your server or user accounts, thereby creating an opening that can be further exploited.

Saying that "nobody wants this data" is like saying that "nobody wants your front door", so why not just make it out of cardboard. It's not the door that's important, it's the fact that it keeps people out of your home.

Anytime I hear people coming up with reasons not to code securely, I just shake my head. It's like trying to justify not wearing a seatbelt when you drive: "No one wants to hit my car."

On the other hand, I really should thank the insecure coders of the world, because it means that hackers will be targeting them instead of me. And I'm okay with that.

Quote:

Originally Posted by ruteckycs

not likely for the home user, but for a bank or something ....?

Honestly, you'd be surprised how often home networks and end user PCs are targeted.

[ruteckycs]

Very good points End User, I have to concede then that sessions would be better. Now that we have squashed my idea of the OP using cookies perhaps it would be a good idea to answer is original question as to how to use sessions.

Its something like this

<?php
session_start();
$_SESSION['My_Varable'] = "my_data";
echo $_SESSION['My_Varable'];
session_destroy();
?>

Basically you
1: Start the session
2. Assign valuables to the array, and assign values
3.Destroy the session when your done

Ill look around and see if I can find a tutorial for you.

[End User]

Quote:

Originally Posted by ruteckycs

Very good points End User, I have to concede then that sessions would be better. Now that we have squashed my idea of the OP using cookies perhaps it would be a good idea to answer is original question as to how to use sessions.

Ill look around and see if I can find a tutorial for you.

Actually, I think my first post in this thread gave an example of using sessions.

[ruteckycs]

You didn't say sessions use cookies, you said they ARE cookies. They are not.

[Nico]

The only thing that sessions store in a cookie is the session identifier. It's a MD5 or SHA1 hash (depending on your php.ini settings). It contains no sensitive data which anyone could easily steal. The rest of the data is stored on the server, and it's only accessibly with the right session identifier.

Storing the username/password directly in a cookie, without sessions, would obviously be more insecure.

[klaniak]

Here is an example if you want to use sessions:
My guess is probably you want to use mysql

PHP Code:

//you need to connect to database

session_start(); //we start the session
if(isset($_POST['submit']))
{
 $user=strip_tags(addslashes(($_POST['username']));
 $password=strip_tags(addslashes($_POST['password']));
//you select your database
//you grab the user id and name and compare them with $user and $password

$_SESSION['valid_user']="your id number from database";
$_SESSION['name']="the name of the user";

header('location: menu.php'); //the location where you want your users to be redirected
} else {
  header('location: sorry.php?not_logged=yes'); //the location if they are not logged
 } 


You can use the code and include it on all your protected pages,
include('./library/login.php');
if(!$_SESSION['valid_user']){header('location: sorry.php');}

You will need also a logout.php to destroy your session, here is an example:

PHP Code:

session_start();
unset($_SESSION);
session_destroy();
header('location: index.php');