On the other hand, I use only one query, searching for the username.  I had 
experimented with other methods but did not find anything that I felt gave me great 
security.  Using a session variable that says the person is logged in can be placed 
into a query string therefore bypassing the authentication process

Robbert van Andel 

-----Original Message-----
From: Evan Nemerson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 27, 2002 12:59 PM
To: Van Andel, Robert; [EMAIL PROTECTED]
Subject: Re: [PHP] ignoring client supplied session data

Hash: SHA1

I was thinking about doing that, but I was hoping to avoid superfluous 
database queries. It is my fallback method, but i _really_ want to use 
sessions, but limit them to server-side modification.

On Wednesday 27 November 2002 12:51 pm, Van Andel, Robert wrote:
> What I do on my pages is perhaps a convoluted way of doing it but it works.
>  I set a username and password session variables. Every time the page loads
> the script verifies the username and password are correct.  If not, they
> don't get to see the rest.  This, in my mind, pervents someone from
> supplying a key variable like $_session['logged_in'].  This way they have
> to know the username and password.
> Robbert van Andel
> -----Original Message-----
> From: Evan Nemerson [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 27, 2002 12:39 PM
> Subject: [PHP] ignoring client supplied session data
> I'm setting up a site using sessions right now, and I was just wondering if
> there is a way to ignore anything from the client side- I want them to POST
> a username and password, from there all data should be handled on the
> server.
> I'm already using the query string to avoid cookies, but I want to make
> sure that if the user _does_ have cookies on, any change in the data will
> be ignored by the server. Any suggestions?
> Basically, I think it would be a lot more efficient for me to set a
> _SESSION['logged_in'] variable once than query the database for every page,
> but I don't know if it would be secure or not- I don't want someone setting
> the logged_in variable in their cookie, then getting full access to the
> site...
> Thanks,
> Evan

- -- 
If anyone can show me, and prove to me, that I am wrong in thought or deed, I 
will gladly change. I seek the truth, hich never yet hurt anybody. It is only 
persistence in delusion and ignorance which does harm.

- -Marcus Aurelius
Version: GnuPG v1.0.7 (GNU/Linux)


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to