how did u check? with a if? u should use the session_is_registered function instead, http://www.php.net/manual/en/function.session-is-registered.php
if(!session_is_registered(\"user\")){ print \"invalid user\"; exit; } // your other code here and yes, turning off register globals is a good idea :) >I am trying to implement a user authentication/login system >using PHP 4.x\'s >built in session functions. Upon a successful login, there >is a >session_register(\'uid\',\'uname\',\'status\'). On pages that >require someone to >be an authenticated user I check against >HTTP_SESSION_VARS[\'uid\'] to make >sure it is not null, is greater then 0, and i also check the >HTTP_SESSION_VARS[\'uname\']. >This seemed to be working until I tried to see what would >happen if I fed >it a query string. I fed a \"secure\" >page ?action=edit&uid=3&uname=jon&status=true and my check >still failed >me, but then when i went back to the same secure page >without the bogus >query string, I was in fact authenticated as the user i >forced through. > >Is it possible that global vars even if not registered via >session_register() to end up the HTTP_SESSION_VARS array? I >was under the >impression that the OLY variables and values that would be >in this array >were those that were explicity registered via >session_register(). > >Should i disable register_globals? > >--Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]