Camilo Sperberg <unreal4u@xxxxxxxxx> wrote: > On 30 mei 2013, at 05:05, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote: > > > On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote: > > > >> On May 29, 2013, at 7:11 PM, Tim Dunphy <bluethundr@xxxxxxxxx> wrote: > >> > >>> Hello list, > >>> > >>> I've created an authentication page (index.php) that logs into an LDAP > >>> server, then points you to a second page that some folks are intended to > >>> use to request apache redirects from the sysadmin group (redirect.php). > >>> > >>> Everything works great so far, except if you pop the full URL of > >>> redirect.php into your browser you can hit the page regardless of the login > >>> process on index.php. > >>> > >>> How can I limit redirect.php so that it can only be reached once you login > >>> via the index page? > >>> > >>> Thank you! > >>> Tim > >>> > >>> -- > >>> GPG me!! > >> > >> Try this: > >> > >> http://sperling.com/php/authorization/log-on.php > > > > I realize this is example code. > > > > My question is, in a real application where that $_SESSION['auth'] token > > would be used subsequently to gain entry to other pages, what would you > > use instead of the simple TRUE/FALSE value? It seems that someone (with > > far more knowledge of hacking than I have) could rather easily hack the > > session value to change its value. But then again, I pretty much suck > > when it comes to working out how you'd "hack" (crack) things. > > > > Paul > > $_SESSION value are quite secure, as they are set on the server, only you can control what's inside them. What can be hacked is the authentification process or some script that sets session values. There is also a way of hijacking a session, but again: its values aren't changed by some PHP script, the session is being hijacked. Don't pass urls with the session id within them and you'll be save. Looking back through the posts, I see I sent one without the link I intended. Session variables can be secure enough (there will never be perfect security, just like there will never be completely safe sex), but you *do* have to take precautions. This is the link I meant to send before: http://www.php.net/manual/en/session.security.php Very important reading. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
