--- Andy B <[EMAIL PROTECTED]> wrote: > i run into the deal where most login scripts check to see if > $_SESSION[username] or a $_SESSION var has been set or is valid. > i noticed this could be a very bad thing because there is nothing > stopping an outside link from doing something like: > <a > href="securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password">go > to secure page</a> > and being valid (that is if they manage to hack the user/pwd)...
Not to be rude, but it looks like you're just making stuff up. Did you try this? The $_SESSION array is "safe" in the sense that a user cannot directly manipulate it. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
