RE: [PHP-DB] Session understanding
If you include the other page AFTER you do this check you'll be fine. So run
your if statement and then add an else...include other.php;
HTH,
Steve.
-Original Message-
From: Rodrigo [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 9:38 AM
To: PHP
Subject: [PHP-DB] Session understanding
Hi people,
if i use this code:
?php
session_start();
if(empty($_SESSION['username'])) {
die('An error has ocurred. It may be that you have not
logged in, or that your session has expired.
Please try a href=login.phplogging in/a again
or contact the
a href=mailto:[EMAIL PROTECTED];system
administrator/a');
}
?
in one page to check if the user is logged, and in this same page i include
another page, do i have to put this same test in this page that is beiing
included??? this question may be dumb but i don´t knowthnaks a lot for
the help.
Equipe Pratic Sistemas
Rodrigo Corrêa
Fone: (14) 441-1700
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Session understanding
as long as that same session code is present at the top of all the included files that
are put in later. basicaly you need to put the session code in every page (even if
you only intend use it as an include) you wish to protect otherwise its contents can
be read by directly typing in the url in the same way that you can read included .js
and .css files.
-Original Message-
From: NIPP, SCOTT V (SBCSI) [mailto:[EMAIL PROTECTED]]
Sent: 26 September 2002 15:57
To: Griffiths, Daniel; Steve Bradwell; Rodrigo; PHP
Subject: RE: [PHP-DB] Session understanding
Can't you get around this by making the session code a separate,
required file that is at the beginning of every protected page? I think
this is basically the same thing, just making sure because I am about to try
and implement some session controls myself. Thanks.
-Original Message-
From: Griffiths, Daniel [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 9:55 AM
To: Steve Bradwell; Rodrigo; PHP
Subject: RE: [PHP-DB] Session understanding
make sure that the test code is in every page you wish to protect, even the
included ones, if its not there someone could still get the contents simply
be typing in the url of 'other.php' should they guess it etc, better to be
safe than sorry
-Original Message-
From: Steve Bradwell [mailto:[EMAIL PROTECTED]]
Sent: 26 September 2002 15:02
To: Rodrigo; PHP
Subject: RE: [PHP-DB] Session understanding
If you include the other page AFTER you do this check you'll be fine. So run
your if statement and then add an else...include other.php;
HTH,
Steve.
-Original Message-
From: Rodrigo [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 9:38 AM
To: PHP
Subject: [PHP-DB] Session understanding
Hi people,
if i use this code:
?php
session_start();
if(empty($_SESSION['username'])) {
die('An error has ocurred. It may be that you have not
logged in, or that your session has expired.
Please try a href=login.phplogging in/a again
or contact the
a href=mailto:[EMAIL PROTECTED];system
administrator/a');
}
?
in one page to check if the user is logged, and in this same page i include
another page, do i have to put this same test in this page that is beiing
included??? this question may be dumb but i don´t knowthnaks a lot for
the help.
Equipe Pratic Sistemas
Rodrigo Corrêa
Fone: (14) 441-1700
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Session understanding
-Original Message-
From: Griffiths, Daniel [mailto:[EMAIL PROTECTED]]
Sent: 26 September 2002 16:09
as long as that same session code is present at the top of
all the included files that are put in later. basicaly you
need to put the session code in every page (even if you only
intend use it as an include) you wish to protect otherwise
its contents can be read by directly typing in the url in the
same way that you can read included .js and .css files.
... and this is precisely why all your include files should be in directories which
are not servable by your Web server -- if your Web server can't serve them, then they
can't be accidentally served by someone typing their URL in directly, because they
don't have a URL!
Personally, I don't put *any* files with live code in http-servable directories. All
of my PHP scripts that Apache can serve as top-level scripts look pretty much like
this:
?php
ini_set('include_path', '../../dir-not-in-http-space/include');
require 'the_real_script.php';
?
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
