Joe Van Meer wrote: > This seems to work, however, if I close out my browser and say type in > main.php (this page has the above code) in the address bar I can still > access the page. How can I fix this? Is there something else I could be > doing to improve the functionality? > Any insights would greatly be appreciated.
The first question to ask is what *LEVEL* of security you need. Is this eCommerce with credit card info going back and forth, or is it your local PTA "insider" information bulletin board. Exactly how you should secure these depends a great deal on that, since higher security comes at a higher cost in terms of setup, maintenance, and bandwidth and resources. Opening up main.php should *NOT* have given you the page, *UNLESS*: 1. You used session variables, and 2. You have them set to last longer than a session, or you had another browser window open. Session Cookies only go away when you close *ALL* the browser windows. Also, as stated, checking just $islogged without at least verifying where it came from is pretty lame. Checking $HTTP_SESSION_VARS['islogged'] in a reasonably secure environment is probably "good enough" for anything short of eCommerce-level applications, as stated. If you've got eCommerce-level applications (ie, credit card info or big-money data going back and forth) you've *GOT* to switch to SSL for your server for at least *SOME* of the pages. No two ways about that. -- Like music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
