On Wed, Aug 15, 2001 at 10:52:33PM -0300, Christian Dechery wrote:
> >$HTTP_SERVER_VARS{"SSL_SESSION_ID"}
> >
> >Another thing I found with phpinfo() is
> >$HTTP_SERVER_VARS{"UNIQUE_ID"}. I don't know (yet) was it is, but it
> >sounds usable, doesn't it?
>
> sure it does... but first we need to k
You need to check against a value that was registered as a session
variable. There is no use in checking if some SSL variable is set. Here's
a simplified version of my check_session function that I run at the top of
every page that requires a session to be established.
I also write to the session
On Tue, Aug 14, 2001 at 02:32:03PM -0700, David Price wrote:
> Sean,
>
> That is a very interesting suggestion. How would you call that using PHP?
>
> Thanks,
>
> David Price
$HTTP_SERVER_VARS{"SSL_SESSION_ID"}
Another thing I found with phpinfo() is
$HTTP_SERVER_VARS{"UNIQUE_ID"}. I don't
]
Subject: Re: [PHP] session security issue
Hi,
For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Christian Dechery wrote:
>
> I have page
Hi,
For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Christian Dechery wrote:
>
> I have pages that uses session for security that looks s
If you test $HTTP_SESSION_VARS["uid"] instead, you'll know that it came
from a session and not from a GET variable.
- Tim
On 14 Aug 2001 08:42:22 -0300, Christian Dechery wrote:
> I have pages that uses session for security that looks something like this:
>
>session_start();
>
>
On Tue, Aug 14, 2001 at 08:42:22AM -0300, Christian Dechery wrote:
> I have pages that uses session for security that looks something like this:
>
>session_start();
>
> if( !isset($uid) )
> {
> include("include/auth.inc.php");
> auth_user();
>
7 matches
Mail list logo
