> What I do on my pages is perhaps a convoluted way of doing it but it
> works. I set a username and password session variables. Every time
the
> page loads the script verifies the username and password are correct.
If
> not, they don't get to see the rest. This, in my mind, pervents
someone
> fr
> I'm not worried about them using the query string for malicious
purposes-
> I
> have register_globals off... I'm worried about someone messing with
their
> cookie and sedding authorized to true- that _will_ change my $_SESSION
> variable, unless I can find some way to ignore cookies, which brings
on 28/11/02 9:22 AM, Evan Nemerson ([EMAIL PROTECTED]) wrote:
> I'm not worried about them using the query string for malicious purposes- I
> have register_globals off... I'm worried about someone messing with their
> cookie and sedding authorized to true- that _will_ change my $_SESSION
> variabl
I know I'm late in on this thread but
Ignoring cookies is easy - just don't set them and don't use any data in
$_COOKIE[]... or am I missing your point?
$_COOKIE[] data should be treated with far more caution than $_SESSION[]
i.e. it should be treated as hostile data. If you really have to r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm not worried about them using the query string for malicious purposes- I
have register_globals off... I'm worried about someone messing with their
cookie and sedding authorized to true- that _will_ change my $_SESSION
variable, unless I can find
Andel, Robert
Cc: Evan Nemerson; [EMAIL PROTECTED]
Subject: RE: [PHP] ignoring client supplied session data
At 22:17 27.11.2002, Van Andel, Robert said:
[snip]
>On the other hand, I use only one query, searching for the username. I had
>experimented
At 22:17 27.11.2002, Van Andel, Robert said:
[snip]
>On the other hand, I use only one query, searching for the username. I had
>experimented with other methods but did not find anything that I felt gave
>me great security. Using a session variable that s
authentication process
Robbert van Andel
-Original Message-
From: Evan Nemerson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 27, 2002 12:59 PM
To: Van Andel, Robert; [EMAIL PROTECTED]
Subject: Re: [PHP] ignoring client supplied session data
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
day, November 27, 2002 12:39 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] ignoring client supplied session data
>
>
> I'm setting up a site using sessions right now, and I was just wondering if
> there is a way to ignore anything from the client side- I want them to POST
>
from supplying a key variable like
$_session['logged_in']. This way they have to know the username and password.
Robbert van Andel
-Original Message-
From: Evan Nemerson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 27, 2002 12:39 PM
To: [EMAIL PROTECTED]
Subject: [PHP]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm setting up a site using sessions right now, and I was just wondering if
there is a way to ignore anything from the client side- I want them to POST a
username and password, from there all data should be handled on the server.
I'm already using t
11 matches
Mail list logo
