Alain Roger wrote:
I already started to use SSL, but i do not understand how to keep it
running.
I mean after user has been authenticated and authorized to go further,
all next web pages are opened using PHP location(https://...); command.
however, it does not certify that it can not be faked by just typing
into browser address bar https://another_webpage.php
for example :
1.my login page is called " index.php" and it is accessible only by
https. if user type http://../index.php, the index.php redirect itself
to https://.../index.php.
2. user type logon and password.
3. application control it with information stored into DB and authorize
user to go further, so a session is created and user is redirected to
https://.../welcome.php
what avoid hacker to directly type https://.../welcome.php ?
how to be sure that it works correctly as in my example ?
There is absolutely nothing stopping a "hacker" or a regular user from
doing that (not everyone that does that is trying to break your site).
It's up to you, as the developer, to check in welcome.php, and any other
page that requires a user to be logged in, that a user is logged in.
So, to sum up, every page that needs the user to have logged in needs to
check that a user has logged in, and redirect to the login page if not.
Hope that makes it clear.
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
