i know the login.php script will check the username and password against a corresponding user table. if the login succeeds, a call will be made to session_start(). session_start() will be called on all subsequent pages, as well as a check to see if the login status is true (or something like that). herein is my first question:
what should each subsequent page of the site check for?
do i need to turn SSL on or will sessions, cookies and a database be enough? (it doesn't need to be super tight--mainly, some of my aunts and uncles don't want the pictures of their bikini clad daughters from our beach trips accessible to just anyone over the net.)
... i guess i'm not entirely sure what else to ask. i suppose that i'll need to make each page check to see if the above mentioned login status variable is set to true, but how do i set it to false? do i just design the session or cookie to expire when the browser is closed?
any help or feedback is appreciated. if you know of a good site (that's easy to understand) which goes over what you need to do to design s secure site, please let me know.
ah, by the way, the environment i'm designing this site for is a RedHat server with PHP4.3.9 and MySQL4.0
thanks for your help