Best groupmember, I am about to develop an simple admintool for a webpage. My webhost (crappy but nonexpensive) does not support HTTPS and I still want to be able to create some sort of secure login.
For the moment I am just using a form that sends the username and passwd with POST method that verifies the username and passwd in a script. When this is set I put a $_SESSION['usertype']="admin" and when a adminpage is beeing requested I check so that this sessionvariable is "admin", othervise I redirect to the loginpage and unset all session variables. Can someone from outside set a $_SESSION variable with some "hacker" techniqe? I assume it is easy to listen to the USERNAME and PASSWORD in the POST-form. Someone with some tips and tricks to get a secure system without using HTTPS? -- - Best Of Times /Peter Lauri -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
