I am trying to implement a user authentication/login system using PHP 4.x's built in session functions. Upon a successful login, there is a session_register('uid','uname','status'). On pages that require someone to be an authenticated user I check against HTTP_SESSION_VARS['uid'] to make sure it is not null, is greater then 0, and i also check the HTTP_SESSION_VARS['uname'].
This seemed to be working until I tried to see what would happen if I fed it a query string. I fed a "secure" page ?action=edit&uid=3&uname=jon&status=true and my check still failed me, but then when i went back to the same secure page without the bogus query string, I was in fact authenticated as the user i forced through. Is it possible that global vars even if not registered via session_register() to end up the HTTP_SESSION_VARS array? I was under the impression that the OLY variables and values that would be in this array were those that were explicity registered via session_register(). Should i disable register_globals? --Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]