What I do on my pages is perhaps a convoluted way of doing it but it works. I set a username and password session variables. Every time the page loads the script verifies the username and password are correct. If not, they don't get to see the rest. This, in my mind, pervents someone from supplying a key variable like $_session['logged_in']. This way they have to know the username and password.
Robbert van Andel -----Original Message----- From: Evan Nemerson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 27, 2002 12:39 PM To: [EMAIL PROTECTED] Subject: [PHP] ignoring client supplied session data -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm setting up a site using sessions right now, and I was just wondering if there is a way to ignore anything from the client side- I want them to POST a username and password, from there all data should be handled on the server. I'm already using the query string to avoid cookies, but I want to make sure that if the user _does_ have cookies on, any change in the data will be ignored by the server. Any suggestions? Basically, I think it would be a lot more efficient for me to set a _SESSION['logged_in'] variable once than query the database for every page, but I don't know if it would be secure or not- I don't want someone setting the logged_in variable in their cookie, then getting full access to the site... Thanks, Evan - -- If you would be a real seeker after truth, you must at least once in your life doubt, as far as possible, all things. - -Rene Descartes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95S1W/rncFku1MdIRAqdUAJ478Q5xFn7vDDE7RFXUI1aQnaZWBACgmN55 VNdAnVIliDD6eNwRm3R2SMQ= =61VE -----END PGP SIGNATURE----- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php