>>At some point, the user is going to have to be responsible for his/her own >>actions. After all, I can log into my bank's Web site and then let someone >>else use my computer, and there's no way my bank can prevent it. Sure the bank can prevent it or otherwise my bank would never use the website in the first place. My bank doesn't use PHP, it use JAVA and surprisely, it work very well.
"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > --- Scott Fletcher <[EMAIL PROTECTED]> wrote: > > Is there a really good way to use PHP Session to tell whenether the > > user is authorized user or not? > > Yes, there are many good ways, and I'm sure I'm not even aware of many of > them. > > > I see one problem here, let's say the user tried to access certain > > webpages that are unauthorized then I get to kick the user out. But > > when the user logged in, we assigned a session token to it, then > > the user become an authorized user. That's where I have a problem > > here. > > I don't understand your concern... > > > Suppose when the user closed the browser window without logging off > > or use the existing session id when firing up the browser or on the > > other browser. (Sort of like copy and paste the URL address from one > > browser to another). There, the user will still be an authorized user > > without logging in. This is something that don't need to happen. > > So, you're worried that a user who doesn't log out will still be logged > in? > > At some point, the user is going to have to be responsible for his/her own > actions. After all, I can log into my bank's Web site and then let someone > else use my computer, and there's no way my bank can prevent it. > > Session cookies (those with no expiration date set) are expired whenever > the browser is closed, so that eliminates the concern about a cookie being > used to continue a session. Using a session identifier in the URL will > work, but you can easily tell if it's a different browser as you describe, > so you can do whatever you want when that happens (ask them to enter their > password again, require them to completely log in again, etc.). > > My advice would be to read more about sessions in the PHP manual. There is > no substitute for a good understanding about what PHP is doing for you. > Also, there is a free article on session security that you can find here: > > http://www.phpmag.net/ssl/phppdf/ > > Hope that helps. > > Chris > > ===== > Chris Shiflett - http://shiflett.org/ > > PHP Security Handbook > Coming mid-2004 > HTTP Developer's Handbook > http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
