The way I use sessions is:
session_start();
........ do some database connection and checking here.....
if (condition is met) {
$_SESSION['valid_user'] = $_POST['login'];
}Is this approach safe ?? Pl let me know. Also I use if (isset($_SESSION['valid_user'] ) ) to check if the user is logged in on secure pages.
Please comment.
Thanks in advance Pushpinder Singh ___________________ Web Dev
On Tuesday, March 23, 2004, at 08:56 AM, Red Wingate wrote:
hi,
securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password
would not register 'username' and 'pwd' to the $_SESSION array but to the $_GET and $_REQUEST-Array like:
$_GET['_SESSION']['username'] => 'admin'
There is no way to inject any kind of data to the super-global Arrays at all
Hope this helps, red
Am Dienstag, 23. März 2004 14:45 schrieb Andy B:hi
in an attempt to create a login system for site administrators on a website
i come into the following problem that bothers me because i cant find any
way to fix it.
problem:
most login scripts/systems i look at for examples on how to make a login
section from sessions (allow the administrator to go between login required
pages and also be able to go to public pages) without having to login again
(the only way an administrator has to "login again" is if they close the
browser on that site)...
i run into the deal where most login scripts check to see if
$_SESSION[username] or a $_SESSION var has been set or is valid. i noticed
this could be a very bad thing because there is nothing stopping an outside
link from doing something like: <a
href="securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password"> go to
secure page</a> and being valid (that is if they manage to hack the
user/pwd)...
any ideas how to create such a system?
any ways around that?? i need a system that will not do that
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
