RE: [PHP-DB] Session understanding
> -Original Message- > From: Griffiths, Daniel [mailto:[EMAIL PROTECTED]] > Sent: 26 September 2002 16:09 > > as long as that same session code is present at the top of > all the included files that are put in later. basicaly you > need to put the session code in every page (even if you only > intend use it as an include) you wish to protect otherwise > its contents can be read by directly typing in the url in the > same way that you can read included .js and .css files. ... and this is precisely why all your include files should be in directories which are not servable by your Web server -- if your Web server can't serve them, then they can't be "accidentally" served by someone typing their URL in directly, because they don't have a URL! Personally, I don't put *any* files with live code in http-servable directories. All of my PHP scripts that Apache can serve as "top-level" scripts look pretty much like this: Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Session understanding
as long as that same session code is present at the top of all the included files that are put in later. basicaly you need to put the session code in every page (even if you only intend use it as an include) you wish to protect otherwise its contents can be read by directly typing in the url in the same way that you can read included .js and .css files. -Original Message- From: NIPP, SCOTT V (SBCSI) [mailto:[EMAIL PROTECTED]] Sent: 26 September 2002 15:57 To: Griffiths, Daniel; Steve Bradwell; Rodrigo; PHP Subject: RE: [PHP-DB] Session understanding Can't you get around this by making the session code a separate, required file that is at the beginning of every protected page? I think this is basically the same thing, just making sure because I am about to try and implement some session controls myself. Thanks. -Original Message- From: Griffiths, Daniel [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 9:55 AM To: Steve Bradwell; Rodrigo; PHP Subject: RE: [PHP-DB] Session understanding make sure that the test code is in every page you wish to protect, even the included ones, if its not there someone could still get the contents simply be typing in the url of 'other.php' should they guess it etc, better to be safe than sorry -Original Message- From: Steve Bradwell [mailto:[EMAIL PROTECTED]] Sent: 26 September 2002 15:02 To: Rodrigo; PHP Subject: RE: [PHP-DB] Session understanding If you include the other page AFTER you do this check you'll be fine. So run your if statement and then add an else...include "other.php"; HTH, Steve. -Original Message- From: Rodrigo [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 9:38 AM To: PHP Subject: [PHP-DB] Session understanding Hi people, if i use this code: logging in again or contact the mailto:[EMAIL PROTECTED]";>system administrator'); } ?> in one page to check if the user is logged, and in this same page i include another page, do i have to put this same test in this page that is beiing included??? this question may be dumb but i don´t knowthnaks a lot for the help. Equipe Pratic Sistemas Rodrigo Corrêa Fone: (14) 441-1700 [EMAIL PROTECTED] [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Session understanding
Can't you get around this by making the session code a separate, required file that is at the beginning of every protected page? I think this is basically the same thing, just making sure because I am about to try and implement some session controls myself. Thanks. -Original Message- From: Griffiths, Daniel [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 9:55 AM To: Steve Bradwell; Rodrigo; PHP Subject: RE: [PHP-DB] Session understanding make sure that the test code is in every page you wish to protect, even the included ones, if its not there someone could still get the contents simply be typing in the url of 'other.php' should they guess it etc, better to be safe than sorry -Original Message- From: Steve Bradwell [mailto:[EMAIL PROTECTED]] Sent: 26 September 2002 15:02 To: Rodrigo; PHP Subject: RE: [PHP-DB] Session understanding If you include the other page AFTER you do this check you'll be fine. So run your if statement and then add an else...include "other.php"; HTH, Steve. -Original Message- From: Rodrigo [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 9:38 AM To: PHP Subject: [PHP-DB] Session understanding Hi people, if i use this code: logging in again or contact the mailto:[EMAIL PROTECTED]";>system administrator'); } ?> in one page to check if the user is logged, and in this same page i include another page, do i have to put this same test in this page that is beiing included??? this question may be dumb but i don´t knowthnaks a lot for the help. Equipe Pratic Sistemas Rodrigo Corrêa Fone: (14) 441-1700 [EMAIL PROTECTED] [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Session understanding
make sure that the test code is in every page you wish to protect, even the included ones, if its not there someone could still get the contents simply be typing in the url of 'other.php' should they guess it etc, better to be safe than sorry -Original Message- From: Steve Bradwell [mailto:[EMAIL PROTECTED]] Sent: 26 September 2002 15:02 To: Rodrigo; PHP Subject: RE: [PHP-DB] Session understanding If you include the other page AFTER you do this check you'll be fine. So run your if statement and then add an else...include "other.php"; HTH, Steve. -Original Message- From: Rodrigo [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 9:38 AM To: PHP Subject: [PHP-DB] Session understanding Hi people, if i use this code: logging in again or contact the mailto:[EMAIL PROTECTED]";>system administrator'); } ?> in one page to check if the user is logged, and in this same page i include another page, do i have to put this same test in this page that is beiing included??? this question may be dumb but i don´t knowthnaks a lot for the help. Equipe Pratic Sistemas Rodrigo Corrêa Fone: (14) 441-1700 [EMAIL PROTECTED] [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Session understanding
If you include the other page AFTER you do this check you'll be fine. So run your if statement and then add an else...include "other.php"; HTH, Steve. -Original Message- From: Rodrigo [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 9:38 AM To: PHP Subject: [PHP-DB] Session understanding Hi people, if i use this code: logging in again or contact the mailto:[EMAIL PROTECTED]";>system administrator'); } ?> in one page to check if the user is logged, and in this same page i include another page, do i have to put this same test in this page that is beiing included??? this question may be dumb but i don´t knowthnaks a lot for the help. Equipe Pratic Sistemas Rodrigo Corrêa Fone: (14) 441-1700 [EMAIL PROTECTED] [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php