On Thursday 16 January 2003 05:38, Scott Fletcher wrote: > Or worse, not substituting the characters in the Session ID. Just use the > same Session ID. What if there is leftover session file in the /tmp > directory of the Unix machine and we're dealing with hundred of users each > day. Some of those session files aren't deleted because the user just > closed the browser without logging out. It is unfortunate that there is no > better solution to this.
I've been sort of following this thread and as I understand it you're trying to use HTTP_REFERER to ascertain whether a user has 'logged in'? IE if HTTP_REFERER isn't the login page then they haven't 'logged in'? If that is the case then you should know that this provides no security at all. Use a proper authentication system based on sessions. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* If Robert Di Niro assassinates Walter Slezak, will Jodie Foster marry Bonzo?? */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
