0

I'm developing a website. I have a login, register and a profile page. When an user log in he is redirected to the page profile.php?id=1. Lets say another user with id=2 log in and he replace 2 by 1. How can I secure the page to not show the data corresponding to user 1 using php.

tkanzakic
  • 5,499
  • 16
  • 34
  • 41
user4660176
  • 1
  • I suggest reading [this answer](http://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach#answer-17266448). Using only a user's ID to authenticate is extremely insecure. – showdev Mar 11 '15 at 21:18
  • reformatted the question to make it more clear – tkanzakic Mar 11 '15 at 21:27

1 Answers1

1

Store the user id in session variables instead of in the url.

At the beginning of every page load you will need to do a session_start(); to use php sessions.

Then when user 1 logs in successfully, assign any name/value pair you like to the session array, such as $_SESSION['user_id'] = 1;.

On each page load after that use the value in $_SESSION['user_id'] to identify your user.

John McMahon
  • 1,605
  • 1
  • 16
  • 21