On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote: > On May 29, 2013, at 7:11 PM, Tim Dunphy <bluethu...@gmail.com> wrote: > > > Hello list, > > > > I've created an authentication page (index.php) that logs into an LDAP > > server, then points you to a second page that some folks are intended to > > use to request apache redirects from the sysadmin group (redirect.php). > > > > Everything works great so far, except if you pop the full URL of > > redirect.php into your browser you can hit the page regardless of the login > > process on index.php. > > > > How can I limit redirect.php so that it can only be reached once you login > > via the index page? > > > > Thank you! > > Tim > > > > -- > > GPG me!! > > Try this: > > http://sperling.com/php/authorization/log-on.php
I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd "hack" (crack) things. Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
