user816604
user816604

Reputation:

authentication safely

So I currently store a token and user ID whenever a user logs in. The token is stored in the user table and in a COOKIE.

So user 1 logs in and the following details is stored in a COOKIE and database on his computer:

whenever he logs in a different token is generated.

To authenticate the user, everytime he accesses my site, I check to see if the token matches with that stored in the database for the specific cookie.

But the problem is that constantly checking the database is a waste of resources but how do we make sure that user is who they say they are? I can't just store his ID in a cookie because he could easily change the ID and get access to another user's information.

thanks!

Upvotes: 0

Views: 67

Answers (2)

jakx
jakx

Reputation: 758

Use session_start() which handles the logistics of checking the cookie and validating that the data is actually for that user's session. You have to start the session before you can use $_SESSION but that's one way to store session data.

http://php.net/manual/en/function.session-start.php

Upvotes: 0

Naterade
Naterade

Reputation: 2685

Could you use a $_SESSION variable such as: $_SESSION['id'] = $randomstring; Then at the top of each page check if the variable is set:

<?php if(isset($_SESSION['id'])) $loggedin; 
          else $logout;
?>

Upvotes: 2

Related Questions