What I do on my pages is perhaps a convoluted way of doing it but it works.  I set a 
username and password session variables. Every time the page loads the script verifies 
the username and password are correct.  If not, they don't get to see the rest.  This, 
in my mind, pervents someone from supplying a key variable like 
$_session['logged_in'].  This way they have to know the username and password.

Robbert van Andel 

-----Original Message-----
From: Evan Nemerson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 27, 2002 12:39 PM
Subject: [PHP] ignoring client supplied session data

Hash: SHA1

I'm setting up a site using sessions right now, and I was just wondering if 
there is a way to ignore anything from the client side- I want them to POST a 
username and password, from there all data should be handled on the server.

I'm already using the query string to avoid cookies, but I want to make sure 
that if the user _does_ have cookies on, any change in the data will be 
ignored by the server. Any suggestions?

Basically, I think it would be a lot more efficient for me to set a 
_SESSION['logged_in'] variable once than query the database for every page, 
but I don't know if it would be secure or not- I don't want someone setting 
the logged_in variable in their cookie, then getting full access to the 


- -- 
If you would be a real seeker after truth, you must at least once in your life 
doubt, as far as possible, all things.

- -Rene Descartes
Version: GnuPG v1.0.7 (GNU/Linux)


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to