I have my page set up to use sessions to track the users on my page. The best way I have found is to give each user a "user level" to identify what areas they should or should not be in. For example, if you have a page that edits the news content on your site, you might set it up like this:
<?php session_start(); if($userlevel == "admin") { include("adminpage.inc"); } else { include("accessforbidden.inc"); } ?> Basically, if you're not logged in as a user with Admin rights, then you don't get to see the page. And since only YOU can declare what rights your users have, I don't see a way to spoof this. Unless of course the person doing the spoofing KNOWS what variable you check to see access rights. An adaption of this script might help. HTH Martin >>> "Youngie" <[EMAIL PROTECTED]> 07/08/02 01:50PM >>> Hi Follks I'm writing an application that requires the user to login to gain access to the rest of the site. The login dailog is on index.html, once verified by login.php the user is presented with a menu from which he can select several options option1.htm which executes a query through option1.php etc, option2.htm and option3.htm and so on. But there's nothing stopping him from bypassing the login completely and just brining up option2.htm directly in the browser. I'm looking for some kind of mechanism to set a flag for a successful logon in index.php that can be tested in the other php scripts. I tried using a cookie and got that to work but the user can close the browser, reopen and the cookie is still set. I looked in to session variables but one page could seem to see the session variable values set in the login page, it saw the variable was registered but not the value it was set to. I know this has to be a simple exercise but I'm a newbie. Thanks John. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php