Ok, here is what I would recommend.  It would eliminate the need for cookies
also.

The user logs in with a username and password.  You have a table where all
usernames and passwords are stored.  The scripts checks this database to see
if the user is allowed.

If the security check passes, create a random number (this can be done
multiple ways and I'm sure someone has a good way to do it) and put it into
another table along with a timestamp.

Pass this session_id (the random number you generated) from page to page in
a hidden element variable.  Each time the user goes to a new page, check the
session table for that session_id.  If it is in the table, check the
timestamp.  If it is 15 minutes old, delete the entry in the session table
and report that their session has timed out.  If their session has not timed
out, update the timestamp to the current time.

If the person chooses to log out, remove his session_id from the table.
That way, if he tries to go back, he will have no existing session_id and
have to log back in.

If anyone sees any issues with this, feel free to point it out... I only
generated this off the top of my head so there may be some holes in it.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Jefferis Peterson" <jefferis@p...>
To: "professional php" <pro_php@p...>
Sent: Friday, June 01, 2001 11:34 AM
Subject: [pro_php] Re: Easiest way to log out?


<snip>
>
> So, how then could I rewrite this authentication code to be safer and
> more flexible. Can I just change the ipaddress funtion to another
> variable in the sessions table, or do I need to add a session cookie?