ID: 10902
Updated by: cynic
Old-Status: Open
Status: Bogus
Bug Type: *Session related
Operating system: 
PHP Version: 4.0.5
Assigned To: 

this could only happen with a misconfigured PHP - you would have to set it to register 
globals AND extract GET/POST data AFTER session data.

proper configuration is an admin reponsibility.

Previous Comments:

[2001-05-16 10:19:23] [EMAIL PROTECTED]
Not really a bug, just an issue.


[2001-05-16 10:17:14] [EMAIL PROTECTED]
This is kind of similar to the old file upload problem, where you could set variables 
in a POST.

In some cases (depends on the way the code is written), if a site stores login status 
(eg. user name, etc) in session variables after an authorisation check, it is possible 
to pass values as the same-named session vars, and therefore actually bypass the 
authorisation step getting access to restricted areas.


ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to