PHP Session security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hi all,
I previously logged a question asking how to automatically log a user
into Apache Basic Authentication without displaying the standard
username/password dialog from the browser.

I have since come to realise this is not possible, I'll have to use my
own system with session cookies etc. Kewl

My question now is, if I'm managing the login with php sessions, whats
to stop somebody coming along and directly accessing an image without a

I should probably expand, what I want to do is set up a simple login so
customers can login and view there own content, a preview. This
obviously needs some level of security. I'm not looking to set up Fort
Knox, but I would like a reasonable amount of security so that I can
restrict who looks at the content. Can anybody point me in the
direction of a reasonable solution.


ps My host (Apache based) has PHP, ZEND, PERL, CURL and control over
Basic Authentication on particular directories. No MySQL or advancded

Re: PHP Session security


You could actually use dynamic tables and such with mysql unless they
are static pages.  Then in which case you could write a small loading
system in php to just simply load in the images if that is what you are
worried about.

Quoted text here. Click to load it

Re: PHP Session security

cheers for the reply, but I'm afraid I don't have access to a mysql

besides, such a solution might prove a bit unwieldy

thanks anyway


Re: PHP Session security


You could use something of this sort for a login system:

$users = array();

$users['loginname'] = 'somepassword';
$users[] = array('login'=>'userlogin', 'password'=>'mypassword');

and then if using the first example do the login such as:

$users['bob'] = 'somecrappypassword';

require_once 'config.php';
if (array_key_exists($_POST['username'], $users) &&
     (md5($users[$_POST['username']]) == md5($_POST['password'])) {
       $_SESSION['is_logged_in'] = true;
       $_SESSION['un'] = $_POST['username'];
       $_SESSION['pw'] = md5($_POST['password'];
} else {
     exit('Login Credentials wrong.');

you get the idea.  Now on everypage you would check is the is_logged_in
session variable is set to true and also check the session un and
password against the array.


Site Timeline