A security question, concerning PHP and overall best practice.

I have an application that is used by users that have no control over what
version of PHP is on their server.  Some versions do not support sessions.
So, I am attempting to modify the code to accommodate this and minimize, if
not eliminate, the risk of a break-in.

Basically, index.php (pageA) can call admin.php (pageB).
pageB accepts a userid and password ($user/$pass).  At this point, these are
form variables that will be passed, via $HTTP_POST_VARS.
pageB calls pageC, which verifies the user/pass against a security file.  If
validated, then pageC is accessed.  If not, user is kicked out.

No problem so far and no variables have been exposed.  But, from pageC, you
can go down several paths.  Now to the question/opinion.  How do I validate,
w/o sessions, that pageD or pageE has been entered from pageC and not
forged?  I can pass the user/pass via a hidden field on the form of pageC,
but that exposes it.  Philosophically, this may not be a problem, since the
user has to go through pageC to get to the other ones anyway.  Use referer?
That seems like that could easily be forged.

Your thoughts?

Home http://www.gaylenandmargie.com/
PHP KISGB v2.6 Guest Book http://www.gaylenandmargie.com/phpwebsite/

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to