12-25-2006, 04:49 AM
I've created my own login system. I have all protected pages using sessions for security. If the session doesn't exist the user is directed to the login page.
I just want to know if this method is recommended (or not) and if there is anything else I should be doing to secure the protected pages.
Thanks for your advice.
Without looking at your code, it is quite difficult to state whether you have applied good security policies in your code or not.
However, session vars are usually used for securing parts of a website in order to track who has logged in and who has not. But, there are many techniques out there to apply these policies...for example, a lot of people make use of a database to store session variables data.
Here is a well known tutorial on how to make use of MySql to store session data.
Also, I would consider using SSL. There are a number of organisations that provide free SSL and it is strongly recommended that you use one.