I have my page set up to use sessions to track the users on my page. The best way I
have found is to give each user a "user level" to identify what areas they should or
should not be in. For example, if you have a page that edits the news content on your
site, you might set it up like this:
<?php
session_start();
if($userlevel == "admin") {
include("adminpage.inc");
} else {
include("accessforbidden.inc");
}
?>
Basically, if you're not logged in as a user with Admin rights, then you don't get to
see the page. And since only YOU can declare what rights your users have, I don't see
a way to spoof this. Unless of course the person doing the spoofing KNOWS what
variable you check to see access rights. An adaption of this script might help.
HTH
Martin
>>> "Youngie" <[EMAIL PROTECTED]> 07/08/02 01:50PM >>>
Hi Follks
I'm writing an application that requires the user to login to gain access to
the rest of the site.
The login dailog is on index.html, once verified by login.php the user is
presented with a menu from
which he can select several options option1.htm which executes a query
through option1.php etc,
option2.htm and option3.htm and so on. But there's nothing stopping him
from bypassing the login completely
and just brining up option2.htm directly in the browser. I'm looking for
some kind of mechanism to set a
flag for a successful logon in index.php that can be tested in the other php
scripts.
I tried using a cookie and got that to work but the user can close the
browser, reopen and the cookie is still
set. I looked in to session variables but one page could seem to see the
session variable values set in the
login page, it saw the variable was registered but not the value it was set
to.
I know this has to be a simple exercise but I'm a newbie.
Thanks
John.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
