This would only work if some other user is able to create files that the web server thinks are part of your domain (since the session cookies are domain-specific). Sounds to me like your problem here is severe server misconfiguration. If your server environment is that insecure, then worrying about anything else is sort of a waste of time.
miguel On Fri, 3 May 2002, Pedro Pontes wrote: > I am considering doing that because any user can create a simple PHP script > with his/her object with the authenticated flag set to "authorized", > register that object with the session and then link to any of my pages, > which if they don't make any kind of password test, they will unsuspectly > accept the intrusion. > > What kind of test do you do in each of your pages? I just test if there is a > user object registered and if its type (group), set upon successfully login, > is allowed in the specified page. But if I create a separate script that > just creates a simmilar object (with the same fields), artificially > attribute a group and login to it, register it with the session and then > link to any of my pages (without passing through the login page), they won't > suspect that the access rights were forged. > > Thank you. > > -- > > > Pedro Alberto Pontes > > "Jon Haworth" <[EMAIL PROTECTED]> wrote in message > 67DF9B67CEFAD4119E4200D0B720FA3F010C4017@BOOTROS">news:67DF9B67CEFAD4119E4200D0B720FA3F010C4017@BOOTROS... > > Hi, > > > > > The method I was thinking about before was to pass > > > the md5 hash of the password around, as the passwords > > > are already md5'ed in the DB. Your method seems more > > > secure as you use a totally spiced-up and personalized > > > encryption engine. > > > > *boggle* > > > > Why are you passing the password around, hashed or not, in the first > place? > > Just have a yes/no flag for whether the session is an authenticated user > or > > not. > > > > Is there any particular reason why you'd need to reauthenticate on every > > page? > > > > > > Cheers > > Jon > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
