Sean,
That is a very interesting suggestion. How would you call that using PHP?
Thanks,
David Price
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Sean C. McCarthy
Sent: Tuesday, August 14, 2001 6:12 AM
To: Christian Dechery
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] session security issue
Hi,
For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Christian Dechery wrote:
>
> I have pages that uses session for security that looks something like
this:
>
> <?php
> session_start();
>
> if( !isset($uid) )
> {
> include("include/auth.inc.php");
> auth_user();
> }
>
> more code...
> ?>
>
> so $uid tells me if the user is logged on or not...
>
> but what if somebody calls the script directly from the address bar like
> this: http://server/script.php?uid=10
>
> wouldn't this be a security problem?
> ____________________________
> . Christian Dechery (lemming)
> . http://www.tanamesa.com.br
> . Gaita-L Owner / Web Developer
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
