lilwing Posted June 19, 2008 Share Posted June 19, 2008 Maybe this is easily solved; First I have a login page, with a session variable called 'logged'. The php script is this: <?php session_start(); $_SESSION['logged'] = false; $_SESSION['uid'] = 0; $_SESSION['username'] = ''; ?> Then I have a verification script, which redirects the user to the administration page, if the correct username and password are entered. On the administration page, I have the following script at the beginning: <?php ob_start(); session_start(); if ($_SESSION['logged']==false) { header('location:http://www.url.org/auth/login.php'); } ?> If the user tries to access the administration iles with a session started, and he has not logged in, he will be redirected to the login page. However, if the session ends, and he tries to access the administration page, via URL, since the session is not started, and this variable is not there to protect it, the administration page becomes accessible. How do I correct this problem? Link to comment https://forums.phpfreaks.com/topic/110844-solved-session-security-issue/ Share on other sites More sharing options...
hitman6003 Posted June 19, 2008 Share Posted June 19, 2008 Check to see if the logged element exists...if not, redirect: if (!$_SESSION['logged'] || $_SESSION['logged'] == false) { header('location:http://www.url.org/auth/login.php'); } Link to comment https://forums.phpfreaks.com/topic/110844-solved-session-security-issue/#findComment-568700 Share on other sites More sharing options...
lilwing Posted June 19, 2008 Author Share Posted June 19, 2008 Thanks... I had no idea I could do that! Hopefully there are no other security issues while I am beta testing. It's a simple script, but it seems to work effectively. Link to comment https://forums.phpfreaks.com/topic/110844-solved-session-security-issue/#findComment-568702 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.