On Tue, 30 Apr 2002, Warrick Wilson wrote: > I'm having a hard time explaining what I'm trying to do, which is why I'm > having a hard time finding anything online/in manuals... > > My site serves a form for the user to fill in. User has been authenticated > with a login and we're using PHP 4 sessions. When using Internet Explorer, > the user can hit Ctrl-N and get a new window, but his session for that new > window is still valid. He could then load up a local page and submit it to > the target of my original form. > > Is there some way of detecting that the submission came from a page that > hadn't been served up by my application, but was instead sent in from some > other "foreign" form? > > Or maybe the question is - how can I kill off sessions if the user navigates > away from the page that I sent him originally?
You can't (assuming you're dealing with someone halfway knowledgeable who is halfway determined to do it). Redesign your application so it doesn't matter. Perhaps time logins out quickly and/or require periodic re-authentication. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php