Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m attempting to write a page that allows a user to remain logged in. Is it simply enough to set a session variable if the site has SSL? I am checking for a session variable that just says the person is logged in.
$_SESSION['LOGIN'] = true;
On each page, I simply check to see if this value is set. If so, let them have access. If not, kick them back to login. Is this enough security wise with SSL? Or are there any other checks I should be doing?
Sessions are stored on the server so SSL would not matter in this case. SSL protects the user from being deceived when a proxy replaces the page in transit with it’s own to steal info. SSL prevents this by encrypting the page. The session is never transmitted. This would be enough, but if you want to be really safe, you can re perform authentication every page load with the username and password stored in the session.