how did u check? with a if? u should use the session_is_registered function instead, 
http://www.php.net/manual/en/function.session-is-registered.php

if(!session_is_registered(\"user\")){
print \"invalid user\";
exit;
}
// your other code here

and yes, turning off register globals is a good idea :)

>I am trying to implement a user authentication/login system >using PHP 4.x\'s
>built in session functions. Upon a successful login, there >is a
>session_register(\'uid\',\'uname\',\'status\'). On pages that >require someone to
>be an authenticated user I check against >HTTP_SESSION_VARS[\'uid\'] to make
>sure it is not null, is greater then 0, and i also check the
>HTTP_SESSION_VARS[\'uname\'].

>This seemed to be working until I tried to see what would >happen if I fed
>it a query string. I fed a \"secure\"
>page ?action=edit&uid=3&uname=jon&status=true and my check >still failed
>me, but then when i went back to the same secure page >without the bogus
>query string, I was in fact authenticated as the user i >forced through.
>
>Is it possible that global vars even if not registered via
>session_register() to end up the HTTP_SESSION_VARS array? I >was under the
>impression that the OLY variables and values that would be >in this array
>were those that were explicity registered via >session_register().
>
>Should i disable register_globals?
>
>--Jon 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to