Verifying internal link

[gausie]

Hi everyone!

Great to be back - haven't visited for quite some time - and I return with a question!

To log out of my script, you send "lo=t" to a page. However, the website I am making allows user-customisable scripts, and so anyone feeling particularly vandalous might make a "fake" link that logs the visiting user out. How can I verify that the link was from the correct area?

I have the feeling I could make use of the SID but I don't know how!

Thanks

Sam

[Orio]

Can you explain this a bit better? I am having a hard time understanding.

Orio.

[gausie]

Ok

Well to log out, you click on a link that brings you to "[b]index.php?lo=t[/b]"

The website has areas where users can have their own customised HTML

Somone could easily put a link like this "[b]<a href="index.php?lo=t">Click here to go to my webpage</a>[/b]", but this link would instead log the viewer out.

How can I verify that the "Log Out" button is being pressed only from where I want it to be pressed?

[.josh]

echo "<a href='index.php?lo=t&sess_id=" . $PHPSESSID."'>Logout</a>";

then check to see if sess_id exists and if so check to see if it matches up with the session id

this of course assumes that your allowing of custom html does not include allowing them to insert their own php as well...

[gausie]

$PHPSESSID is an empty variable... I end up with the link [b]index.php?lo=t&v=[/b] with nothing afterwards!

Thanks

Sam

[gausie]

Ok I did it using session_id() instead of $PHPSESSID

Thanks everyone!

Sam

[.josh]

sorry. i meant this:

[code]
echo "<a href='index.php?lo=t&sess_id=" . session_id() ."'>Logout</a>";
[/code]

i usually do like this: $PHPSESSID = session_id();