Camilo Sperberg <unrea...@gmail.com> wrote: > On 30 mei 2013, at 05:05, Paul M Foster <pa...@quillandmouse.com> wrote: > > > On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote: > > > >> On May 29, 2013, at 7:11 PM, Tim Dunphy <bluethu...@gmail.com> wrote: > >> > >>> Hello list, > >>> > >>> I've created an authentication page (index.php) that logs into an LDAP > >>> server, then points you to a second page that some folks are intended to > >>> use to request apache redirects from the sysadmin group (redirect.php). > >>> > >>> Everything works great so far, except if you pop the full URL of > >>> redirect.php into your browser you can hit the page regardless of the > >>> login > >>> process on index.php. > >>> > >>> How can I limit redirect.php so that it can only be reached once you login > >>> via the index page? > >>> > >>> Thank you! > >>> Tim > >>> > >>> -- > >>> GPG me!! > >> > >> Try this: > >> > >> http://sperling.com/php/authorization/log-on.php > > > > I realize this is example code. > > > > My question is, in a real application where that $_SESSION['auth'] token > > would be used subsequently to gain entry to other pages, what would you > > use instead of the simple TRUE/FALSE value? It seems that someone (with > > far more knowledge of hacking than I have) could rather easily hack the > > session value to change its value. But then again, I pretty much suck > > when it comes to working out how you'd "hack" (crack) things. > > > > Paul > > $_SESSION value are quite secure, as they are set on the server, only you can > control what's inside them. What can be hacked is the authentification > process or some script that sets session values. There is also a way of > hijacking a session, but again: its values aren't changed by some PHP script, > the session is being hijacked. Don't pass urls with the session id within > them and you'll be save.
Looking back through the posts, I see I sent one without the link I intended. Session variables can be secure enough (there will never be perfect security, just like there will never be completely safe sex), but you *do* have to take precautions. This is the link I meant to send before: http://www.php.net/manual/en/session.security.php Very important reading. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
