Results 1 to 5 of 5
Apr 12, 2011, 05:58 #1
- Join Date
- Apr 2011
- 0 Post(s)
- 0 Thread(s)
Using session variables to determine site admin access - secure or not?
Firstly I'd like to point out that while I'm creating a live site for a local club I am a college student and this semester is my first introduction to php so please don't get extremely technical in any replies
My site is set up to authenticate users by accepting the username and password, running an md5 hash on the password and comparing it to the stored username and md5 hashed password in my MySQL database. If a user is authenticated successfully I take all the information in the "Users" table relating to the user and store it within a session variable for ease of access later. I'm sure this is all pretty standard stuff so far.
Within the users table I have a field called "Admin" which is default of "NO" when a new user is created. What I am doing with my administration page is running my normal authentication checks and then checking to see if the session variable "Admin" is set to "YES". If so the admin is logged in, if not the user is redirected to the homepage. This should work since a user who is not logged in will not get as far as the admin check, in my beginners opinion anyway.
I'm wondering if anybody has used this method of authentication before and if it's actually secure or can someone with a bit of experience gain access to and change the session variables or otherwise work around this method?
Many thanks in advance,