Hi Jon,

I am considering doing that because any user can create a simple PHP script
with his/her object with the authenticated flag set to "authorized",
register that object with the session and then link to any of my pages,
which if they don't make any kind of password test, they will unsuspectly
accept the intrusion.

What kind of test do you do in each of your pages? I just test if there is a
user object registered and if its type (group), set upon successfully login,
is allowed in the specified page. But if I create a separate script that
just creates a simmilar object (with the same fields), artificially
attribute a group and login to it, register it with the session and then
link to any of my pages (without passing through the login page), they won't
suspect that the access rights were forged.

Thank you.


Pedro Alberto Pontes

"Jon Haworth" <[EMAIL PROTECTED]> wrote in message
> Hi,
> > The method I was thinking about before was to pass
> > the md5 hash of the password around, as the passwords
> > are already md5'ed in the DB. Your method seems more
> > secure as you use a totally spiced-up and personalized
> > encryption engine.
> *boggle*
> Why are you passing the password around, hashed or not, in the first
> Just have a yes/no flag for whether the session is an authenticated user
> not.
> Is there any particular reason why you'd need to reauthenticate on every
> page?
> Cheers
> Jon

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to