Joe Van Meer wrote:

> This seems to work, however, if I close out my browser and say type in
> main.php (this page has the above code) in the address bar I can still
> access the page. How can I fix this? Is there something else I could be
> doing to improve the functionality?
> Any insights would greatly be appreciated.

The first question to ask is what *LEVEL* of security you need.

Is this eCommerce with credit card info going back and forth, or is it your 
local PTA "insider" information bulletin board.

Exactly how you should secure these depends a great deal on that, since 
higher security comes at a higher cost in terms of setup, maintenance, and 
bandwidth and resources.

Opening up main.php should *NOT* have given you the page, *UNLESS*:
1. You used session variables, and
2. You have them set to last longer than a session, or you had another 
browser window open.

Session Cookies only go away when you close *ALL* the browser windows.

Also, as stated, checking just $islogged without at least verifying where 
it came from is pretty lame.  Checking $HTTP_SESSION_VARS['islogged'] in a 
reasonably secure environment is probably "good enough" for anything short 
of eCommerce-level applications, as stated.

If you've got eCommerce-level applications (ie, credit card info or 
big-money data going back and forth) you've *GOT* to switch to SSL for your 
server for at least *SOME* of the pages.  No two ways about that.

Like music?

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to