I know this sounds so basic but... Im just wondering if this approach is right, Id really like to know if I did something wrong. Its the way users log in:


1. Users login at login.php.

2. It gets submitted to home.php which has validate.php included at the top which checks the database for the user and password match. The sanitation for all the POSTs is there too.

3. The validate.php is on every page from then on and the login/password gets passed through the pages as hidden POSTs. So on every page, it gets checked - the user and password match.

4. If you dont get the password right you just get bounced back to the login.



What was I thinking back then:

1. Im passing the password and the user instead of just posting loginsuccessful = 1, coz users can just modify this right?

2. Im making it check every page too in case the user is already logged in, and I need to kick him/her out of the site for some reason.

3. I didnt use GET, sessions and cookies coz I read they can be hijacked so its not safe. So all I have left was the POST.


Thanks