On Friday, June 7, 2002, at 12:32 PM, Jeff Field wrote:
> I'm under the impression that when I create the user
> and password variables, the variables are only available in the session
> cookie on my own server, not in the cookie that is sent to the user to
> maintain sessions. The cookie sent
> To: PHP List
> Subject: Re: [PHP] Access control question - follow-up question
>
>
> On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
> >
> > In regards to "Passing/testing the password on each page is
> unnecessary and
> > poses security risks."
On Fri, Jun 07, 2002 at 11:32:48AM -0500, Jeff Field wrote:
>
> In regards to "Passing/testing the password on each page is unnecessary and
> poses security risks.", I'm under the impression that when I create the user
> and password variables, the variables are only available in the session
> co
, I'm a little
unclear as to the security risk. Have I got this right?
Thanks!
Jeff
> -Original Message-
> From: Analysis & Solutions [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 07, 2002 10:42 AM
> To: PHP List
> Subject: Re: [PHP] Access control questio
You are also assuming that the session hasn't been hijacked.
Other things you can do are store the user's UserAgent in a session var
and check it on every page (session spoofer MIGHT be using a different
browser), and do likewise for IP address. Although remember that AOL
users will have pro
Hi Jeff:
On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote:
>
> Is it simply enough to just check that $_SESSION['user'] is present, and
> therefore, by that alone assume the user has logged in and should be granted
> access? Or, should I be verifying the $_SESSION['user'] and
> $_SESS
Quick question...
I have a site where user's log in, they put their user name and password in
a form and if they are verified against the database, session variables are
created,
$_SESSION['user'];
$_SESSION['pass'];
and they get sent to the next page by way of,
header("Location: https://www.m
7 matches
Mail list logo
