On Wednesday, April 17, 2002, at 04:40 PM, Vladislav Kulchitski wrote:
> Basically, let's say the cracker know that in my application I create a
> session variable named "auth_user" for valid users. Is there a way to
> hack into it if he knows this session variable name?
>
> Example:
>
> if($action==edit_personalinformation_update)
> {
> if(!session_is_registered("auth_user"))
> {
> stop_unauthorized(); // defined function that prints an error
> message
> return;
> }
> //SECURE OPERATIONS
> }
>
Technically, your scheme should work fine. Since you are not simply
testing for the presence of that variable, but whether or not it is
actually a session variable, the person must have a session ID that says
that this session variable is in fact a session variable of theirs.
This is difficult (not impossible) to achieve without having properly
logged in, so you should be okay.
But, consider turning register_globals off. You get a lot more
security, and it works in this same fashion -- checks to make sure that
the variable doesn't just exist, but is coming from the right source
(superglobal array, actually).
BTW if you are using PHP 4.1.x, the manual suggests that you use
isset($_SESSION['auth_user'])
rather than session_is_registered().
Erik
----
Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
