Well, One way is to log that the user is online into a database...or a flat file. I have done this before using a database (very easy), however I have not used a file yet..but it is possible. Use fopen() routines and fclose() for the low level file access.
Another method is to use cookies..the user can turn this off..and it can still be compromised. In the end if you can't use sessions, then use a flat file, or a database. If you don't have either of these, then I would like to hear what you solution is. As I'm interested in how you would overcome this problem... PS: You could also use URL rewriting?..but then, thats not to secure...(or pass the variable(s) to each page via a GET submission..just tag on the variable to the end of your "next page" link) -Ray Ray Gaylog [EMAIL PROTECTED] ----- Original Message ----- From: "Gaylen Fraley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, December 15, 2001 11:49 PM Subject: [PHP] Opinions, please > A security question, concerning PHP and overall best practice. > > I have an application that is used by users that have no control over what > version of PHP is on their server. Some versions do not support sessions. > So, I am attempting to modify the code to accommodate this and minimize, if > not eliminate, the risk of a break-in. > > Basically, index.php (pageA) can call admin.php (pageB). > pageB accepts a userid and password ($user/$pass). At this point, these are > form variables that will be passed, via $HTTP_POST_VARS. > pageB calls pageC, which verifies the user/pass against a security file. If > validated, then pageC is accessed. If not, user is kicked out. > > No problem so far and no variables have been exposed. But, from pageC, you > can go down several paths. Now to the question/opinion. How do I validate, > w/o sessions, that pageD or pageE has been entered from pageC and not > forged? I can pass the user/pass via a hidden field on the form of pageC, > but that exposes it. Philosophically, this may not be a problem, since the > user has to go through pageC to get to the other ones anyway. Use referer? > That seems like that could easily be forged. > > Your thoughts? > > > -- > Gaylen > [EMAIL PROTECTED] > Home http://www.gaylenandmargie.com/ > PHP KISGB v2.6 Guest Book http://www.gaylenandmargie.com/phpwebsite/ > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
