Re: [PHP] closing a security hole on user accounts possible? - confirming accounts - history function
This comes up on the list again and again. Force the person to logout, so that the session is closed... check the posts in the past week for other suggestions. Andrew - Original Message - From: andy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 03, 2002 6:16 PM Subject: [PHP] closing a security hole on user accounts possible? - confirming accounts - history function Hi there, is it possible to block hackers from stealing a session with the history function of the browser? Example: A user registeres and recives a confirm e-mail. He confirms and does close all browser windows. He leaves. Another user comes to this computer opens the browser and the history and clicks on the confirm link Boom!! He has the session and is able to do all the stuff the other one can. How could I close this security hole? Is there a work around? Thanx, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] closing a security hole on user accounts possible? - confirming accounts - history function
You could assign a randomly generated confirmation code to the link for example http://yoursitel.com/membershipconfirm.php?user=jsheetsconfirmid=1238D7adfd a Then when the user hits that link have membershipconfirm.php check the database, confirm the user and the confirmid, if it matches remove that entry from the database and finish setting up the user account. Now if another user hits that page the confirmid will be invalid and they will not get access. I would make the confirmation page a form that asks the user to enter their username and confirmation id, then auto-populate the fields with the values from the URL, that way if the user's email client mangles the url they can still type it in manually. Jason -Original Message- From: andy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: [PHP] closing a security hole on user accounts possible? - confirming accounts - history function Hi there, is it possible to block hackers from stealing a session with the history function of the browser? Example: A user registeres and recives a confirm e-mail. He confirms and does close all browser windows. He leaves. Another user comes to this computer opens the browser and the history and clicks on the confirm link Boom!! He has the session and is able to do all the stuff the other one can. How could I close this security hole? Is there a work around? Thanx, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] closing a security hole on user accounts possible? - confirming accounts - history function
On Thursday 04 April 2002 01:21, Andrew Brampton wrote: This comes up on the list again and again. Force the person to logout, so that the session is closed... check the posts in the past week for other suggestions. It was the very same Andy who asked a similar question last week :) -- Jason Wong - Gremlins Associates - www.gremlins.com.hk /* Woman on Street:Sir, you are drunk; very, very drunk. Winston Churchill: Madame, you are ugly; very, very ugly. I shall be sober in the morning. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
