Quick question...
I have a site where user's log in, they put their user name and password in
a form and if they are verified against the database, session variables are
created,
$_SESSION['user'];
$_SESSION['pass'];
and they get sent to the next page by way of,
header(Location:
Hi Jeff:
On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote:
Is it simply enough to just check that $_SESSION['user'] is present, and
therefore, by that alone assume the user has logged in and should be granted
access? Or, should I be verifying the $_SESSION['user'] and
You are also assuming that the session hasn't been hijacked.
Other things you can do are store the user's UserAgent in a session var
and check it on every page (session spoofer MIGHT be using a different
browser), and do likewise for IP address. Although remember that AOL
users will have
this right?
Thanks!
Jeff
-Original Message-
From: Analysis Solutions [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 07, 2002 10:42 AM
To: PHP List
Subject: Re: [PHP] Access control question
Hi Jeff:
On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote:
Is it simply
On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
In regards to Passing/testing the password on each page is unnecessary and
poses security risks., I'm under the impression that when I create the user
and password variables, the variables are only available in the session
cookie
] Access control question - follow-up question
On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
In regards to Passing/testing the password on each page is
unnecessary and
poses security risks., I'm under the impression that when I
create the user
and password variables
On Friday, June 7, 2002, at 12:32 PM, Jeff Field wrote:
I'm under the impression that when I create the user
and password variables, the variables are only available in the session
cookie on my own server, not in the cookie that is sent to the user to
maintain sessions. The cookie sent to
7 matches
Mail list logo
