I am trying to implement a user authentication/login system using PHP 4.x's
built in session functions. Upon a successful login, there is a
session_register('uid','uname','status'). On pages that require someone to
be an authenticated user I check against HTTP_SESSION_VARS['uid'] to make
sure it is not null, is greater then 0, and i also check the
HTTP_SESSION_VARS['uname'].
This seemed to be working until I tried to see what would happen if I fed
it a query string. I fed a "secure"
page ?action=edit&uid=3&uname=jon&status=true and my check still failed
me, but then when i went back to the same secure page without the bogus
query string, I was in fact authenticated as the user i forced through.
Is it possible that global vars even if not registered via
session_register() to end up the HTTP_SESSION_VARS array? I was under the
impression that the OLY variables and values that would be in this array
were those that were explicity registered via session_register().
Should i disable register_globals?
--Jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
