Im currently trying to secure a php program where I authenticate a user
against an md5 string stored in a mysql database..........
My problem is that since this program consists out of more that one pages, I
am using a session and I register the md5 string and username as session
variables.
As I heard that session information can be quite easily sniffed by proxies,
I started to think about how to secure this info or prevent someone from
abusing it.
I input the following code:
$headers = getallheaders();
foreach ($headers as $name => $content) {
echo "headers[$name] = $content<br>\n";
}
and I saw something like this:
headers[Cookie] = PHPSESSID=141502d33b8467NNgffhFGHGfh36c
which I then appended to the url of my program like so:
http://www.mydomain.com/myscript.phpPHPSESSID=141502d33b8467NNgffhFGHGfh36c
I closed all browser windows and tried that url (leading me to think that
that sesid should have expired)...... But it gave me full access to all
pages clicked from "myscript.php". So I looked at the session.cache_expire
which was set to 180.
Which means that it wil expire in 180 seconds?
Anyway..... the next day I tried again with the same PHPSESSID appended to
the url and it gave full access.
Can anyone point me to a possible solution for this?
Thank you,
Hans Prins
[EMAIL PROTECTED]
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
