ID: 10902 Updated by: cynic Reported By: [EMAIL PROTECTED] Old-Status: Open Status: Bogus Bug Type: *Session related Operating system: PHP Version: 4.0.5 Assigned To: Comments: this could only happen with a misconfigured PHP - you would have to set it to register globals AND extract GET/POST data AFTER session data. proper configuration is an admin reponsibility. Previous Comments: --------------------------------------------------------------------------- [2001-05-16 10:19:23] [EMAIL PROTECTED] Not really a bug, just an issue. --------------------------------------------------------------------------- [2001-05-16 10:17:14] [EMAIL PROTECTED] This is kind of similar to the old file upload problem, where you could set variables in a POST. In some cases (depends on the way the code is written), if a site stores login status (eg. user name, etc) in session variables after an authorisation check, it is possible to pass values as the same-named session vars, and therefore actually bypass the authorisation step getting access to restricted areas. --------------------------------------------------------------------------- ATTENTION! Do NOT reply to this email! To reply, use the web interface found at http://bugs.php.net/?id=10902&edit=2 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]