Re-authenticate and make them login again when they do something
particularly dangerous/serious/big-time.
Nothing you've listed matches the above, except maybe changing their
current password to a new one.
I suppose you could do it just to change any profile setting, but some
goofball out there w
It's a website where you can reply to news, blogs and other messages and
with a forum.
On 2/26/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Sun, February 25, 2007 6:45 pm, Tosca wrote:
> Quote from Fahad Pervaiz <[EMAIL PROTECTED]>:
> "To ensure best security use database as well. Store IP,
On Sun, February 25, 2007 6:45 pm, Tosca wrote:
> Quote from Fahad Pervaiz <[EMAIL PROTECTED]>:
> "To ensure best security use database as well. Store IP, Session ID,
> username, login time. After every few minutes you can re
> authenticate the
> user against these parameters."
>
> I have a log
Quote from Fahad Pervaiz <[EMAIL PROTECTED]>:
"To ensure best security use database as well. Store IP, Session ID,
username, login time. After every few minutes you can re authenticate the
user against these parameters."
I have a login system with sessions and a database where I store session I
>
>
> By the last answers i saw that someone do not understand wath
> i wanted to
> say.
>
> My strigs are always rightly escaped, but when i get it into
> a html form
> like it gets type="text" value="Sony 29" TV"> that is, the value of my
> input field lost
> part of the content.
>
David Dorward wrote:
Ryan A wrote:
The problem is, if she has tried to upload a pic at the same time and
screwed up on the date of birth I am unable
to send back the value of the FILE box so that too get populated... I
tried setting a VALUE="path/file" but that
does not work.
As has already
--- Boyan Nedkov <[EMAIL PROTECTED]> wrote:
> > ... Short of any severe bugs in PHP's core, there is no way for a
> > user of your Web application to modify session data ...
>
> It seems that statement is not completely correct considering the topic
> discussed in the paper 'Session Fixation Vu
Yes, you are right, it was my misunderstanding, sorry guys.
Anyway, hope that posting was useful concerning the subject
of the discussion.
Boyan
--
CPT John W. Holmes wrote:
From: "Boyan Nedkov" <[EMAIL PROTECTED]>
[snip]
> ... Short of any severe bugs in PHP's core, there is no way for a
> use
From: "Boyan Nedkov" <[EMAIL PROTECTED]>
> [snip]
> > ... Short of any severe bugs in PHP's core, there is no way for a
> > user of your Web application to modify session data ...
> [/snip]
>
> It seems that statement is not completely correct considering the topic
> discussed in the paper 'Sess
[snip]
> ... Short of any severe bugs in PHP's core, there is no way for a
> user of your Web application to modify session data ...
[/snip]
It seems that statement is not completely correct considering the topic
discussed in the paper 'Session Fixation Vulnerability in Web-based
Applications'
On Thursday 06 November 2003 13:36, Chris Shiflett wrote:
> For example, if you store your sessions in a database, it's pretty trivial
> for another user to write a PHP script that allows him/her to navigate the
> filesystem, searching for your database access credentials. After all, if
> Apache/P
--- "John W. Holmes" <[EMAIL PROTECTED]> wrote:
> Pablo Gosse wrote:
>
> > As to your last point, can something else change the session vars
> > other than my php scripts, answers to that question are exactly what
> > I'm looking for.
>
> Other PHP scripts on the same server (doesn't have to be s
--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
> In all honesty I don't know enough about how one would go about
> attempting to hack the values of a session other than through hacking
> into the session files, so if anyone has any input on this please pass
> it along.
Well, you basically hit the nail
Pablo Gosse wrote:
As to your last point, can something else change the session vars other
than my php scripts, answers to that question are exactly what I'm
looking for.
Other PHP scripts on the same server (doesn't have to be same domain)
and most anything that can access the filesystem could m
On Wednesday, November 05, 2003 5:43 PM, Lang wrote:
/*---*/
1. Have register_globals set to off in your php.ini
and
2. Check the values before you put them in the session.
You should be ok.
ie. if you just go
$_SESSION['g_id'] = $_GET['g_id']
on one page, then you stil
15 matches
Mail list logo
