so set an md5() of each user name as "yes". islogged=Ehyfoa74a23gfd or whatever is good i think. but sessions are the most secure way, so think about both (sessions and cookies) and decide what you really need.
you have linux? you could make an .htaccess, and make real users with no bash, and let them login with real usernames and passwords. windows? on win2k you could do this too. but be shure to not grant access to local hd's. major security risk... "Stefan Rusterholz" <[EMAIL PROTECTED]> schrieb im Newsbeitrag 009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo">news:009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo... > I don't think this is a secure method. > If I do only a little effort an find out, that it's this variable $islogged > which has to set to "yes" (or whatever) I can gain access by simply typing > into the browsers addressbar > "www.yourdomain.com/theFileIWantToGo.php?islogged=yes" and I will gain > access. > > I'm sorry, but I can't tell you a better way to do it. > > Stefan Rusterholz, [EMAIL PROTECTED] > ---------------------------------- > interaktion gmbh > Stefan Rusterholz > Zürichbergstrasse 17 > 8032 Zürich > ---------------------------------- > T. +41 1 253 19 55 > F. +41 1 253 19 56 > W3 www.interaktion.ch > ---------------------------------- > > ----- Original Message ----- > From: "Daniel Masur" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 14, 2001 2:33 PM > Subject: [PHP] Re: Login/Security Problem > > > > set a cookie, and delete it with a logout button or when the user leaves > > your domain > > > > > > "Joe Van Meer" <[EMAIL PROTECTED]> schrieb im Newsbeitrag > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hi there. I'm new to php and would like some insight on securing a > > website. > > > Upon successful login to my site (checks against database for username > and > > > password) I assign a session variable called '$islogged' to 'yes'. On > all > > > other pages throughout my site I use the following code to determine if > > this > > > variable is set, and if not redirect them to the login page. > > > > > > if($islogged = = "no"){ > > > > > > header("Location:index.php"); > > > } > > > elseif(EMPTY($islogged)) > > > { > > > header("Location:index.php"); > > > } > > > > > > > > > This seems to work, however, if I close out my browser and say type in > > > main.php (this page has the above code) in the address bar I can still > > > access the page. How can I fix this? Is there something else I could be > > > doing to improve the functionality? > > > Any insights would greatly be appreciated. > > > > > > Cheers Joe:) > > > > > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
