Re: [PHP] PHP authenticating and session management
I'm not quite sure if this is the perfect way cause I'm pretty new to this session stuff, too. but my version looks like this: [login.php] a form with username and password field. submit -- auth.php [auth.php] check if username and password are ok (from a text file or your mysql database) [yes|no] [no] - echo bad login or password.; exit; [yes] - start a session, save username and password in session vars, redirect to userpage lets say your userpages look like aUsername_blah.php [aUsername_blah.php] include a script on every userpage that checks if login and password are correct [yes|no] [no] - redirect to login.php [yes] - display page comments appreciated :) .andi Arash Dejkam [EMAIL PROTECTED] schrieb in im Newsbeitrag: 9guhbf$msi$[EMAIL PROTECTED] Hi, I want to use PHP session manager but I have some problems, I want the session start in a login page so I do this for example: after authenticating... session_start(); session_register(username); then I want the user to be able to see his own pages, what do I have to do in those pages? simply check $username and bring up the user's page ? but this makes it possible for any hacker to send a cookie with username and see that page. I know that PHP stores a unique random number for each session but how can I check that it matches with the number in the cookie. help me please I'm really confused ! Thanks Arash Dejkam -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
interesting question! I'm also interested in it, cause I read somwhere
that its possible to kidnap sessions...
Bass??? [EMAIL PROTECTED] schrieb in im Newsbeitrag:
9gvt89$pi5$[EMAIL PROTECTED]
I have a Q.
will the Session ID be stolen by hacker when the ID tranfer bewteen client
and server ?
Then can the hacker send the ID to server and veiw the user's page ?
Jason Stechschulte [EMAIL PROTECTED] ?
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
On Fri, Jun 22, 2001 at 08:59:54AM +0430, Arash Dejkam wrote:
simply check $username and bring up the user's page ? but this makes
it
possible for any hacker to send a cookie with username and see that
page. I
know that PHP stores a unique random number for each session but how
can
I
check that it matches with the number in the cookie.
Why not just check for username this way:
?php
if(session_is_registered(username)) {
// Do stuff
}
?
Then username has to be registered as a session variable so any hacker
(sic) can't just send a username to see that page.
--
Jason Stechschulte
[EMAIL PROTECTED]
--
echo Your stdio isn't very std.
-- Larry Wall in Configure from the perl distribution
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
