* Thus wrote Cody Phanekham ([EMAIL PROTECTED]): > Murugesan, > > main.php: > <? > session_name("mysessionname"); > session_start(); > if (!$s_authed) // check access > { > // user hasnt been authorised, therefore redirect to login page
This is exactly why register globals is turned off by default now. This is a major security hole, I can simply put in the url: http://host/main.php?s_authed=1 And I would be considered authenticated, throughout the site. Please turn register_globals off and use the $_SESSION variable to access your session vars. Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php