On Friday, June 7, 2002, at 12:32 PM, Jeff Field wrote:
> I'm under the impression that when I create the user
> and password variables, the variables are only available in the session
> cookie on my own server, not in the cookie that is sent to the user to
> maintain sessions. The cookie sent
> To: PHP List
> Subject: Re: [PHP] Access control question - follow-up question
>
>
> On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
> >
> > In regards to "Passing/testing the password on each page is
> unnecessary and
> > poses security risks."
On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
>
> In regards to "Passing/testing the password on each page is unnecessary and
> poses security risks.", I'm under the impression that when I create the user
> and password variables, the variables are only available in the session
> co
, I'm a little
unclear as to the security risk. Have I got this right?
Thanks!
Jeff
> -Original Message-
> From: Analysis & Solutions [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 07, 2002 10:42 AM
> To: PHP List
> Subject: Re: [PHP] Access control questio
You are also assuming that the session hasn't been hijacked.
Other things you can do are store the user's UserAgent in a session var
and check it on every page (session spoofer MIGHT be using a different
browser), and do likewise for IP address. Although remember that AOL
users will have pro
Hi Jeff:
On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote:
>
> Is it simply enough to just check that $_SESSION['user'] is present, and
> therefore, by that alone assume the user has logged in and should be granted
> access? Or, should I be verifying the $_SESSION['user'] and
> $_SESS
6 matches
Mail list logo
