simple $_SESSION security
ok, i need some basic security for a site.. nothing super fancy, but enough to keep anyone from view some stuff. The pages are already blocked from google etc indexing so for the most part, no one will even know they exist.
now, i think i have done this correctly... there is a login page.. wife enters user/pass
then it goes here and this is done first thing
PHP Code:
<?php
session_start();
$loggedin=FALSE;
if (isset($_SESSION['owner'])) {
if ($_SESSION['owner']=='xxxxxx') {
$loggedin=TRUE;
}
}
if (!$loggedin) {
if ($_POST['user']=='xxxxxx' && $_POST['pass']=='xxxxxx') {
$_SESSION['owner']='xxxxxx';
$loggedin=TRUE;
} else {
if (isset($_SESSION['attempt'])) {
$_SESSION['attempt']=$_SESSION['attempt']+1;
} else {
$_SESSION['attempt']=1;
}
if ($_SESSION['attempt'] > 4) {
header("location:http://google.com");
}
}
}
?>
and other pages have this:
PHP Code:
session_start();
$loggedin=FALSE;
if (isset($_SESSION['owner'])) {
if ($_SESSION['owner']=='xxxxxx') {
$loggedin=TRUE;
}
}
if (!$loggedin) {
header("location:index.html");
die('tsk tsk');
}
is that good enough? I tried putting in wrong passwords and it seemed to work.. and tried going to pages without 'logging in' and it seemed to work... but being new to sessions... is this good enough?
Thanks all!
Re: simple $_SESSION security
yes, that would work. I would change some things, but not the basic way that it works. just the way you're doing it. if you don't have specific pages that only certain "owners" can see, then I would just do this instead (for every page):
PHP Code:
<?php
session_start();
if(!isset($_SESSION['owner'])){
//redirect
header("Location: login.php?return=" . __FILE__);
}
?>
<!-- your content goes here -->
