One way is to log that the user is online into a database...or a flat file.
I have done this before using a database (very easy), however I have not
used a file yet..but it is possible. Use fopen() routines and fclose() for
the low level file access.
still be compromised.
In the end if you can't use sessions, then use a flat file, or a database.
If you don't have either of these, then I would like to hear what you
As I'm interested in how you would overcome this problem...
PS: You could also use URL rewriting?..but then, thats not to secure...(or
pass the variable(s) to each page via a GET submission..just tag on the
variable to the end of your "next page" link)
----- Original Message -----
From: "Gaylen Fraley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, December 15, 2001 11:49 PM
Subject: [PHP] Opinions, please
> A security question, concerning PHP and overall best practice.
> I have an application that is used by users that have no control over what
> version of PHP is on their server. Some versions do not support sessions.
> So, I am attempting to modify the code to accommodate this and minimize,
> not eliminate, the risk of a break-in.
> Basically, index.php (pageA) can call admin.php (pageB).
> pageB accepts a userid and password ($user/$pass). At this point, these
> form variables that will be passed, via $HTTP_POST_VARS.
> pageB calls pageC, which verifies the user/pass against a security file.
> validated, then pageC is accessed. If not, user is kicked out.
> No problem so far and no variables have been exposed. But, from pageC,
> can go down several paths. Now to the question/opinion. How do I
> w/o sessions, that pageD or pageE has been entered from pageC and not
> forged? I can pass the user/pass via a hidden field on the form of pageC,
> but that exposes it. Philosophically, this may not be a problem, since
> user has to go through pageC to get to the other ones anyway. Use
> That seems like that could easily be forged.
> Your thoughts?
> [EMAIL PROTECTED]
> Home http://www.gaylenandmargie.com/
> PHP KISGB v2.6 Guest Book http://www.gaylenandmargie.com/phpwebsite/
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]