Re: module and access rights

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alain Roger wrote:
I already started to use SSL, but i do not understand how to keep it running.

I mean after user has been authenticated and authorized to go further, all next web pages are opened using PHP location(https://...); command. however, it does not certify that it can not be faked by just typing into browser address bar https://another_webpage.php

for example :
1.my login page is called " index.php" and it is accessible only by https. if user type http://../index.php, the index.php redirect itself to https://.../index.php.
2. user type logon and password.
3. application control it with information stored into DB and authorize user to go further, so a session is created and user is redirected to https://.../welcome.php

what avoid hacker to directly type https://.../welcome.php ?
how to be sure that it works correctly as in my example ?

There is absolutely nothing stopping a "hacker" or a regular user from doing that (not everyone that does that is trying to break your site). It's up to you, as the developer, to check in welcome.php, and any other page that requires a user to be logged in, that a user is logged in.

So, to sum up, every page that needs the user to have logged in needs to check that a user has logged in, and redirect to the login page if not.

Hope that makes it clear.

-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux