SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    Spirit Coder allspiritseve's Avatar
    Join Date
    Dec 2002
    Location
    Ann Arbor, MI (USA)
    Posts
    648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Using sessions in php pages...

    I have a security question about sessions: If I write a script that has someone log in and save their username in a session variable, such as "$username=AllSpiritsEve", then how can I make sure people can't simply go into a page and type "home.html?username=AllSpiritsEve" and be able to use the site functions I am able to use? Is there some way to separate session variables from page variables? Help would be appreciated.
    Thanks,
    -Spirit

  2. #2
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There are a series of variables beginning with PHPv4.
    They are the $_GET[], $_POST[], and $_SESSION[] arrays.

    Session values are stored in a file on the server, and if you are properly testing all the information that comes into your script, you should not have any problems with authentication.
    John

  3. #3
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One way to test for an authorized user, would be to set a session variable like this:
    PHP Code:
    <?php
    session_start
    ();
    ...
    code to test for a valid user...
    if 
    the user is valid set a session variable
    $_SESSION
    ['authorized'] = 'true';
    ...
    the rest of the code...
    ?>
    This would then be at the top of all your scripts you want only authorized users to use:
    PHP Code:
    <?php
    session_start
    ();
    if(
    $_SESSION['authorized'] != 'true')
    {
      
    header"Location: [youAreNotAuthorizedPage]" );
    }
     
    ...
    code for authorized users...
    ?>
    HTH
    John

  4. #4
    Can we go to a 48 hour day?
    Join Date
    May 2002
    Location
    MI
    Posts
    906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To take that idea a step farther, I set up fields in my login table for different permissions. so I have p_admin, p_view, and p_submit

    Then I set these to true or false from an admin page and set them into the session when they log in.

    Then various pages I can check if they have admin permissions, submit permissions, or just viewing permissions with a single have_p function. Just pass the permission to check.
    mitechie.com
    "Techies just think a little differently
    ...at least that is what they keep telling me."


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •