try using $HTTP_SESSION_VARS[] by the way. if hacks can find out the user-pass combination they can just use the normal way of logging in ;-)
"Andy B" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] hi in an attempt to create a login system for site administrators on a website i come into the following problem that bothers me because i cant find any way to fix it. problem: most login scripts/systems i look at for examples on how to make a login section from sessions (allow the administrator to go between login required pages and also be able to go to public pages) without having to login again (the only way an administrator has to "login again" is if they close the browser on that site)... i run into the deal where most login scripts check to see if $_SESSION[username] or a $_SESSION var has been set or is valid. i noticed this could be a very bad thing because there is nothing stopping an outside link from doing something like: <a href="securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password">go to secure page</a> and being valid (that is if they manage to hack the user/pwd)... any ideas how to create such a system? any ways around that?? i need a system that will not do that -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
