note
FalseVinylShrub
<p>Hi</p>
<p>Hope this will be of help:</p>
<ul>
<li>If you are actually trying to make something secure, you should probably look for a ready-made module. Sorry, I don't know what's considered the best at the moment, you'll have to do some research or wait for someone else to recommend one.</li>
<li>On the login page, you seem to be checking the username (email address) then checking to see if there is an account with the specified password. Surely you need to check that the password belongs to that user: it looks like you can log into anyones account with your password at the moment. Need to pull out the password from the submitted email address, then check it is equal to the password submitted in the login form.</li>
<li>To solve the problem you asked about, and anything else that needs password protection, you'll need to keep track of logged in users between pages. You can't just pass round the username, or anyone will be able to access any account by changing the URL/cookie/etc. One way to do this would be to generate a session cookie and keep a record of which account it belongs to. Managing all this is quite complex and I would recommend finding a module.</li>
</ul>
<p>Anyway depends exactly what you're doing but if you want some kind of security better do some research. Hope someone who knows more than me will provide more useful details..</p>
<p>FVS</p>
808985
808985