On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote:

> On May 29, 2013, at 7:11 PM, Tim Dunphy <bluethu...@gmail.com> wrote:
> > Hello list,
> > 
> > I've created an authentication page (index.php) that logs into an LDAP
> > server, then points you to a second page that some folks are intended to
> > use to request apache redirects from the sysadmin group (redirect.php).
> > 
> > Everything works great so far, except if you pop the full URL of
> > redirect.php into your browser you can hit the page regardless of the login
> > process on index.php.
> > 
> > How can I limit redirect.php so that it can only be reached once you login
> > via the index page?
> > 
> > Thank you!
> > Tim
> > 
> > -- 
> > GPG me!!
> Try this:
> http://sperling.com/php/authorization/log-on.php

I realize this is example code.

My question is, in a real application where that $_SESSION['auth'] token
would be used subsequently to gain entry to other pages, what would you
use instead of the simple TRUE/FALSE value? It seems that someone (with
far more knowledge of hacking than I have) could rather easily hack the
session value to change its value. But then again, I pretty much suck
when it comes to working out how you'd "hack" (crack) things.


Paul M. Foster

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to