On Wednesday, April 17, 2002, at 04:40  PM, Vladislav Kulchitski wrote:

> Basically, let's say the cracker know that in my application I create a
> session variable named "auth_user" for valid users. Is there a way to
> hack into it if he knows this session variable name?
> Example:
> if($action==edit_personalinformation_update)
>  {
>   if(!session_is_registered("auth_user"))
>      {
>       stop_unauthorized(); // defined function that prints an error
> message
>       return;
>      }
>  }

Technically, your scheme should work fine.  Since you are not simply 
testing for the presence of that variable, but whether or not it is 
actually a session variable, the person must have a session ID that says 
that this session variable is in fact a session variable of theirs.  
This is difficult (not impossible) to achieve without having properly 
logged in, so you should be okay.

But, consider turning register_globals off.  You get a lot more 
security, and it works in this same fashion -- checks to make sure that 
the variable doesn't just exist, but is coming from the right source 
(superglobal array, actually).

BTW if you are using PHP 4.1.x, the manual suggests that you use


rather than session_is_registered().



Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to