On Wednesday, April 17, 2002, at 04:40 PM, Vladislav Kulchitski wrote:
> Basically, let's say the cracker know that in my application I create a > session variable named "auth_user" for valid users. Is there a way to > hack into it if he knows this session variable name? > > Example: > > if($action==edit_personalinformation_update) > { > if(!session_is_registered("auth_user")) > { > stop_unauthorized(); // defined function that prints an error > message > return; > } > //SECURE OPERATIONS > } > Technically, your scheme should work fine. Since you are not simply testing for the presence of that variable, but whether or not it is actually a session variable, the person must have a session ID that says that this session variable is in fact a session variable of theirs. This is difficult (not impossible) to achieve without having properly logged in, so you should be okay. But, consider turning register_globals off. You get a lot more security, and it works in this same fashion -- checks to make sure that the variable doesn't just exist, but is coming from the right source (superglobal array, actually). BTW if you are using PHP 4.1.x, the manual suggests that you use isset($_SESSION['auth_user']) rather than session_is_registered(). Erik ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php