My site uses sessions and for example on login a random token as a hidden field in the form is generated and added to the session.
As i am on shared hosting i set my own session path outside root directory and if for example session is tampered in anyway the user is logged out. I also have it so each time user visits there main control panel area and on login that it regenrates a new session id to try and help avoid session theft. And i also do some checks against db on some parts such as change password also requires old password to change new password, incase user account is hijacked, change email to ensure the information stored in the session equals the information stored for that user in the database.
I also have it that if user fails 4 login attempts that it locks there account and sends them an email to notify them, incase it was trying to be accessed by an unauthorised person with a unique activation link before login and a new random generated password which is encrypted using sha1().
I fell pretty confident i have done enough to make it as secure as possible.
My question now relates to my admin area.
I simply have on my user table a column called `admin` and default is `0` for NON admin and `1` means admin.
Woudl you say it is safe on each login that i store the $_SESSION in the session so it can tell wheter a user is admin or not, and if so show admin menu?
example once user is verified on login i store information about the user in the session for use on other areas of the site. If i add a new session for admin on login it will see if it == 0 or 1.
I think this will be fine due to the fact i have my own session path which is out of root so can only be viewed by me, but would like some advice to ensure if this is safe or a more safer way available.
Edited by genieuk: n/a