This would only work if some other user is able to create files that the
web server thinks are part of your domain (since the session cookies are
domain-specific). Sounds to me like your problem here is severe server
misconfiguration. If your server environment is that insecure, then
worrying about anything else is sort of a waste of time.


On Fri, 3 May 2002, Pedro Pontes wrote:
> I am considering doing that because any user can create a simple PHP script
> with his/her object with the authenticated flag set to "authorized",
> register that object with the session and then link to any of my pages,
> which if they don't make any kind of password test, they will unsuspectly
> accept the intrusion.
> What kind of test do you do in each of your pages? I just test if there is a
> user object registered and if its type (group), set upon successfully login,
> is allowed in the specified page. But if I create a separate script that
> just creates a simmilar object (with the same fields), artificially
> attribute a group and login to it, register it with the session and then
> link to any of my pages (without passing through the login page), they won't
> suspect that the access rights were forged.
> Thank you.
> --
> Pedro Alberto Pontes
> "Jon Haworth" <[EMAIL PROTECTED]> wrote in message
> 67DF9B67CEFAD4119E4200D0B720FA3F010C4017@BOOTROS">news:67DF9B67CEFAD4119E4200D0B720FA3F010C4017@BOOTROS...
> > Hi,
> >
> > > The method I was thinking about before was to pass
> > > the md5 hash of the password around, as the passwords
> > > are already md5'ed in the DB. Your method seems more
> > > secure as you use a totally spiced-up and personalized
> > > encryption engine.
> >
> > *boggle*
> >
> > Why are you passing the password around, hashed or not, in the first
> place?
> > Just have a yes/no flag for whether the session is an authenticated user
> or
> > not.
> >
> > Is there any particular reason why you'd need to reauthenticate on every
> > page?
> >
> >
> > Cheers
> > Jon

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to