> So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If > there's nothing there, they aren't logged in as far as I can tell. On > every > page I validate the uid and pwd against the database, so the only way you > could fake being another user is to know the uid AND md5()'d pwd.
Or steal it. :) I hope you have checked your site for any cross-site scripting vulnerabilities. This is exactly where vulnerabilities like this come into play... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php