I am trying to implement a user authentication/login system using PHP 4.x's 
built in session functions. Upon a successful login, there is a 
session_register('uid','uname','status'). On pages that require someone to 
be an authenticated user I check against HTTP_SESSION_VARS['uid'] to make 
sure it is not null, is greater then 0, and i also check the 

This seemed to be working until I tried to see what would happen if I fed 
it a query string. I fed a "secure" 
page  ?action=edit&uid=3&uname=jon&status=true  and my check still failed 
me, but then when i went back to the same secure page without the bogus 
query string, I was in fact authenticated as the user i forced through.

Is it possible that global vars even if not registered via 
session_register() to end up the HTTP_SESSION_VARS array? I was under the 
impression that the OLY variables and values that would be in this array 
were those that were explicity registered via session_register().

Should i disable register_globals?


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to