Scott,

I suspect you will gets lot's of input on this one.  There is a fairly
glaring hack that allows users to override your session variables (if you
rely on the feature of PHP that automatically adds session variables, as
well as get and post variables, to the global pool [register_globals, I
think]).  They do this by adding the variable and it's value to the end of
the url.

The way around this is to code all references to session data to get it
directly from the $_SESSION array, and correspondingly get input variables
directly from the $_GET or $_POST arrays.  You also may find it necessary to
assign your values to the $_SESSION array directly as well;

$foo = $_SESSION["foo"];        // retrieves a value from a session
$_SESSION["foo"] = $foo;        // places a value in a session

this means I only use the session_start() function at the beginning of each
script and the session_unregister("foo") function to remove variables from
the session.

if the only way a variable like $_SESSION["userid"] can get into the session
array is thru your code after authentication, you should be fairly safe,
course it doesn't prevent someone from taking over a session on the browser
machine.  A short session timeout will minimize session stealing, but
aggravate your users.

hope this helps,

Warren Vail

-----Original Message-----
From: Scott Fletcher [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 06, 2004 10:19 AM
To: [EMAIL PROTECTED]
Subject: [PHP] session issues for unauthorized access?


Is there a really good way to use PHP Session to tell whenether the user is
authorized user or not?  I see one problem here, let's say the user tried to
access certain webpages that are unauthorized then I get to kick the user
out.  But when the user logged in, we assigned a session token to it, then
the user become an authorized user.  That's where I have a problem here.
Suppose when the user closed the browser window without logging off or use
the existing session id when firing up the browser or on the other browser.
(Sort of like copy and paste the URL address from one browser to another).
There, the user will still be an authorized user without logging in.  This
is something that don't need to happen.

So, any best idea, suggestion or thought on a workaround to it?

Thanks,
 FletchSOD

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to