* Thus wrote Cody Phanekham ([EMAIL PROTECTED]):
> Murugesan,
>
> main.php:
> <?
> session_name("mysessionname");
> session_start();
> if (!$s_authed) // check access
> {
> // user hasnt been authorised, therefore redirect to login page
This is exactly why register globals is turned off by default now.
This is a major security hole, I can simply put in the url:
http://host/main.php?s_authed=1
And I would be considered authenticated, throughout the site.
Please turn register_globals off and use the $_SESSION variable to
access your session vars.
Curt
--
"I used to think I was indecisive, but now I'm not so sure."
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
