On 30 mei 2013, at 05:05, Paul M Foster <pa...@quillandmouse.com> wrote:
> On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote: > >> On May 29, 2013, at 7:11 PM, Tim Dunphy <bluethu...@gmail.com> wrote: >> >>> Hello list, >>> >>> I've created an authentication page (index.php) that logs into an LDAP >>> server, then points you to a second page that some folks are intended to >>> use to request apache redirects from the sysadmin group (redirect.php). >>> >>> Everything works great so far, except if you pop the full URL of >>> redirect.php into your browser you can hit the page regardless of the login >>> process on index.php. >>> >>> How can I limit redirect.php so that it can only be reached once you login >>> via the index page? >>> >>> Thank you! >>> Tim >>> >>> -- >>> GPG me!! >> >> Try this: >> >> http://sperling.com/php/authorization/log-on.php > > I realize this is example code. > > My question is, in a real application where that $_SESSION['auth'] token > would be used subsequently to gain entry to other pages, what would you > use instead of the simple TRUE/FALSE value? It seems that someone (with > far more knowledge of hacking than I have) could rather easily hack the > session value to change its value. But then again, I pretty much suck > when it comes to working out how you'd "hack" (crack) things. > > Paul > > -- > Paul M. Foster > http://noferblatz.com > http://quillandmouse.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php $_SESSION value are quite secure, as they are set on the server, only you can control what's inside them. What can be hacked is the authentification process or some script that sets session values. There is also a way of hijacking a session, but again: its values aren't changed by some PHP script, the session is being hijacked. Don't pass urls with the session id within them and you'll be save. Greetings. Sent from my iPhone 6 Beta [Confidential use only] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
