You could assign a randomly generated confirmation code to the link for example http://yoursitel.com/membershipconfirm.php?user=jsheets&confirmid=1238D7adfd a
Then when the user hits that link have membershipconfirm.php check the database, confirm the user and the confirmid, if it matches remove that entry from the database and finish setting up the user account. Now if another user hits that page the confirmid will be invalid and they will not get access. I would make the confirmation page a form that asks the user to enter their username and confirmation id, then auto-populate the fields with the values from the URL, that way if the user's email client mangles the url they can still type it in manually. Jason -----Original Message----- From: andy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: [PHP] closing a security hole on user accounts possible? - confirming accounts - history function Hi there, is it possible to block hackers from stealing a session with the history function of the browser? Example: A user registeres and recives a confirm e-mail. He confirms and does close all browser windows. He leaves. Another user comes to this computer opens the browser and the history and clicks on the confirm link Boom!! He has the session and is able to do all the stuff the other one can. How could I close this security hole? Is there a work around? Thanx, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
