Pedro Pontes wrote: > Hi Jon, > > I am considering doing that because any user can create a simple PHP script > with his/her object with the authenticated flag set to "authorized", > register that object with the session and then link to any of my pages, > which if they don't make any kind of password test, they will unsuspectly > accept the intrusion. > > What kind of test do you do in each of your pages? I just test if there is a > user object registered and if its type (group), set upon successfully login, > is allowed in the specified page. But if I create a separate script that > just creates a simmilar object (with the same fields), artificially > attribute a group and login to it, register it with the session and then > link to any of my pages (without passing through the login page), they won't > suspect that the access rights were forged. >
What I can't figure out is why you're allowing people to just randomly put pages on your server. If someone was to randomly register a similar user object, etc - why bother? If I can put pages on your server and execute them, I'd do some something far more malicious than just pretend I'm "user X". Michael Kimsal http://www.logicreate.com 734-480-9961 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
