On the other hand, I use only one query, searching for the username. I had experimented with other methods but did not find anything that I felt gave me great security. Using a session variable that says the person is logged in can be placed into a query string therefore bypassing the authentication process
Robbert van Andel -----Original Message----- From: Evan Nemerson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 27, 2002 12:59 PM To: Van Andel, Robert; [EMAIL PROTECTED] Subject: Re: [PHP] ignoring client supplied session data -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was thinking about doing that, but I was hoping to avoid superfluous database queries. It is my fallback method, but i _really_ want to use sessions, but limit them to server-side modification. On Wednesday 27 November 2002 12:51 pm, Van Andel, Robert wrote: > What I do on my pages is perhaps a convoluted way of doing it but it works. > I set a username and password session variables. Every time the page loads > the script verifies the username and password are correct. If not, they > don't get to see the rest. This, in my mind, pervents someone from > supplying a key variable like $_session['logged_in']. This way they have > to know the username and password. > > Robbert van Andel > > > -----Original Message----- > From: Evan Nemerson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 27, 2002 12:39 PM > To: [EMAIL PROTECTED] > Subject: [PHP] ignoring client supplied session data > > > I'm setting up a site using sessions right now, and I was just wondering if > there is a way to ignore anything from the client side- I want them to POST > a username and password, from there all data should be handled on the > server. > > I'm already using the query string to avoid cookies, but I want to make > sure that if the user _does_ have cookies on, any change in the data will > be ignored by the server. Any suggestions? > > Basically, I think it would be a lot more efficient for me to set a > _SESSION['logged_in'] variable once than query the database for every page, > but I don't know if it would be secure or not- I don't want someone setting > the logged_in variable in their cookie, then getting full access to the > site... > > > Thanks, > Evan - -- If anyone can show me, and prove to me, that I am wrong in thought or deed, I will gladly change. I seek the truth, hich never yet hurt anybody. It is only persistence in delusion and ignorance which does harm. - -Marcus Aurelius -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95TIp/rncFku1MdIRAgGdAKCQCNMUL+OuTomXQH07zr6tjn7cUwCcDMrU Ucup8rpk4c3jS2w+5Ej6yNo= =el8E -----END PGP SIGNATURE----- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
