> What I do on my pages is perhaps a convoluted way of doing it but it
> works. I set a username and password session variables. Every time
the
> page loads the script verifies the username and password are correct.
If
> not, they don't get to see the rest. This, in my mind, pervents
someone
> fr
> I'm not worried about them using the query string for malicious
purposes-
> I
> have register_globals off... I'm worried about someone messing with
their
> cookie and sedding authorized to true- that _will_ change my $_SESSION
> variable, unless I can find some way to ignore cookies, which brings
on 28/11/02 9:22 AM, Evan Nemerson ([EMAIL PROTECTED]) wrote:
> I'm not worried about them using the query string for malicious purposes- I
> have register_globals off... I'm worried about someone messing with their
> cookie and sedding authorized to true- that _will_ change my $_SESSION
> variabl
I know I'm late in on this thread but
Ignoring cookies is easy - just don't set them and don't use any data in
$_COOKIE[]... or am I missing your point?
$_COOKIE[] data should be treated with far more caution than $_SESSION[]
i.e. it should be treated as hostile data. If you really have to r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm not worried about them using the query string for malicious purposes- I
have register_globals off... I'm worried about someone messing with their
cookie and sedding authorized to true- that _will_ change my $_SESSION
variable, unless I can find
Andel, Robert
Cc: Evan Nemerson; [EMAIL PROTECTED]
Subject: RE: [PHP] ignoring client supplied session data
At 22:17 27.11.2002, Van Andel, Robert said:
[snip]
>On the other hand, I use only one query, searching for the username. I had
>experimented
At 22:17 27.11.2002, Van Andel, Robert said:
[snip]
>On the other hand, I use only one query, searching for the username. I had
>experimented with other methods but did not find anything that I felt gave
>me great security. Using a session variable that s
authentication process
Robbert van Andel
-Original Message-
From: Evan Nemerson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 27, 2002 12:59 PM
To: Van Andel, Robert; [EMAIL PROTECTED]
Subject: Re: [PHP] ignoring client supplied session data
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I was thinking about doing that, but I was hoping to avoid superfluous
database queries. It is my fallback method, but i _really_ want to use
sessions, but limit them to server-side modification.
On Wednesday 27 November 2002 12:51 pm, Van Andel, R
What I do on my pages is perhaps a convoluted way of doing it but it works. I set a
username and password session variables. Every time the page loads the script verifies
the username and password are correct. If not, they don't get to see the rest. This,
in my mind, pervents someone from sup
10 matches
Mail list logo
