Hi Jon, I am considering doing that because any user can create a simple PHP script with his/her object with the authenticated flag set to "authorized", register that object with the session and then link to any of my pages, which if they don't make any kind of password test, they will unsuspectly accept the intrusion.
What kind of test do you do in each of your pages? I just test if there is a user object registered and if its type (group), set upon successfully login, is allowed in the specified page. But if I create a separate script that just creates a simmilar object (with the same fields), artificially attribute a group and login to it, register it with the session and then link to any of my pages (without passing through the login page), they won't suspect that the access rights were forged. Thank you. -- Pedro Alberto Pontes "Jon Haworth" <[EMAIL PROTECTED]> wrote in message 67DF9B67CEFAD4119E4200D0B720FA3F010C4017@BOOTROS">news:67DF9B67CEFAD4119E4200D0B720FA3F010C4017@BOOTROS... > Hi, > > > The method I was thinking about before was to pass > > the md5 hash of the password around, as the passwords > > are already md5'ed in the DB. Your method seems more > > secure as you use a totally spiced-up and personalized > > encryption engine. > > *boggle* > > Why are you passing the password around, hashed or not, in the first place? > Just have a yes/no flag for whether the session is an authenticated user or > not. > > Is there any particular reason why you'd need to reauthenticate on every > page? > > > Cheers > Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
