Pedro Pontes wrote:
> Hi Jon,
> I am considering doing that because any user can create a simple PHP script
> with his/her object with the authenticated flag set to "authorized",
> register that object with the session and then link to any of my pages,
> which if they don't make any kind of password test, they will unsuspectly
> accept the intrusion.
> What kind of test do you do in each of your pages? I just test if there is a
> user object registered and if its type (group), set upon successfully login,
> is allowed in the specified page. But if I create a separate script that
> just creates a simmilar object (with the same fields), artificially
> attribute a group and login to it, register it with the session and then
> link to any of my pages (without passing through the login page), they won't
> suspect that the access rights were forged.

What I can't figure out is why you're allowing people to just randomly
put pages on your server.  If someone was to randomly register a similar
user object, etc - why bother?  If I can put pages on your server and 
execute them, I'd do some something far more malicious than just pretend
I'm "user X".

Michael Kimsal

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to