if (isset($_COOKIE["auth"]) && !isset($_GET["page"]))
{
include($GLOBALS['admin_index']);
die();
}
Your script is awfully insecure. $_COOKIE is user supplied, so in if I
hand craft a request, I could just send an auth cookie which is set to
1. Relying on people not knowing is not good, especially as you've just
posted you authentictaion method to the world.
At the very least switch to storing the fact that the user is authed to
the session.
Eg:
if (!empty($_SESSION["auth"]) && empty($_GET["page"])) {
include($GLOBALS['admin_index']);
die();
}
--
Richard Heyes
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
