On Thu, 30 May 2002, Justin Blake wrote:
> I will soon be developing a user authentication system with different
> access levels. I will need to check the users against a mysql database.
> How secure is checking for a session var, and then redirecting with
> header('Location:...') ? Is there a way to get around this method of
> protection?

That's the worst security scheme I've ever heard of.

Anyone can just look at where the redirect points to and go there.

You should keep the session active throughout your secured area and check 
against a session variable at the top of each page.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to