Scott, I suspect you will gets lot's of input on this one. There is a fairly glaring hack that allows users to override your session variables (if you rely on the feature of PHP that automatically adds session variables, as well as get and post variables, to the global pool [register_globals, I think]). They do this by adding the variable and it's value to the end of the url.
The way around this is to code all references to session data to get it directly from the $_SESSION array, and correspondingly get input variables directly from the $_GET or $_POST arrays. You also may find it necessary to assign your values to the $_SESSION array directly as well; $foo = $_SESSION["foo"]; // retrieves a value from a session $_SESSION["foo"] = $foo; // places a value in a session this means I only use the session_start() function at the beginning of each script and the session_unregister("foo") function to remove variables from the session. if the only way a variable like $_SESSION["userid"] can get into the session array is thru your code after authentication, you should be fairly safe, course it doesn't prevent someone from taking over a session on the browser machine. A short session timeout will minimize session stealing, but aggravate your users. hope this helps, Warren Vail -----Original Message----- From: Scott Fletcher [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 10:19 AM To: [EMAIL PROTECTED] Subject: [PHP] session issues for unauthorized access? Is there a really good way to use PHP Session to tell whenether the user is authorized user or not? I see one problem here, let's say the user tried to access certain webpages that are unauthorized then I get to kick the user out. But when the user logged in, we assigned a session token to it, then the user become an authorized user. That's where I have a problem here. Suppose when the user closed the browser window without logging off or use the existing session id when firing up the browser or on the other browser. (Sort of like copy and paste the URL address from one browser to another). There, the user will still be an authorized user without logging in. This is something that don't need to happen. So, any best idea, suggestion or thought on a workaround to it? Thanks, FletchSOD -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php