On Wed, 12 Feb 2003 17:07:16 +0000 "mario kulka" <[EMAIL PROTECTED]> wrote:
> > Hi, > I guess I'm lost again on this topic:( > I'm basically trying the following: > User logs in -> then he has a choice: > 1. enter new record > 2. edit old one > Once taken to those new pages I somehow must keep the fact that he already > logged in and at the same time forbid other people from a direct access to > those pages (choices 1&2). I don't want to use cookies. Without cookies it tends to be hard to do if you're doing it with a plain old CGI application, and if you want it to be as safe as possible. However: a way to do it is as follows; Once the user logs in, you create a string like this: $user_ip.":".$user_login_name.":".$user_login_time Then you make an MD5 hash out of that, or a SHA1 hash. You park this hash in a hidden form field, and you also park $user_login_time in a hidden field, as well as the $user_login_name variable. (Preferrably concatenate the two together and stick it in one field to obfuscate it some more for people viewing source) On every request, you see whether the hash field contains data, if it does, the user is logged in. You can then validate the hash by taking the same information again, and re-creating the SHA1 hash. If both hashes match, the user is who he says he/she is and you can show the forms. Doing things like this without cookies tends to be hard; there is yet another way around it but it's not real 'beginner' material and requires mod_perl and an SQL database to function - let me know if you want me to explain that one. -- Bernhard van Staveren - madcat(at)ghostfield.com GhostField Internet - http://www.ghostfield.com/ "A witty saying proves nothing, but damn it's funny!" - me, 1998 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]