security in websites
(PHP Development) Keywords: php, mysql, browser, database, sql, security, web
i am preparing to design a website for my family. i'd like it to have a secure log-in, which references usernames and passwords in a mysql database. i'd like the rest of the website to be secure, meaning, if you're not logged in, you're redirected to the index. i'm planning to use sessions with cookies. as i'm relatively new to security in web design, i'd like some advice.
i know the login.php script will check the username and password against a corresponding user table. if the login succeeds, a call will be made to session_start(). session_start() will be called on all subsequent pages, as well as a check to see if the login status is true (or something like that). herein is my first question:
what should each subsequent page of the site check for?
do i need to turn SSL on or will sessions, cookies and a database be enough? (it doesn't need to be super tight--mainly, some of my aunts and uncles don't want the pictures of their bikini clad daughters from our beach trips accessible to just anyone over the net.)
... i guess i'm not entirely sure what else to ask. i suppose that i'll need to make each page check to see if the above mentioned login status variable is set to true, but how do i set it to false? do i just design the session or cookie to expire when the browser is closed?
any help or feedback is appreciated. if you know of a good site (that's easy to understand) which goes over what you need to do to design s secure site, please let me know.
ah, by the way, the environment i'm designing this site for is a RedHat server with PHP4.3.9 and MySQL4.0
thanks for your help