Jump to content

Archived

This topic is now archived and is closed to further replies.

gausie

Verifying internal link

Recommended Posts

Hi everyone!

Great to be back - haven't visited for quite some time - and I return with a question!

To log out of my script, you send "lo=t" to a page. However, the website I am making allows user-customisable scripts, and so anyone feeling particularly vandalous might make a "fake" link that logs the visiting user out. How can I verify that the link was from the correct area?

I have the feeling I could make use of the SID but I don't know how!

Thanks

Sam

Share this post


Link to post
Share on other sites
Can you explain this a bit better? I am having a hard time understanding.

Orio.

Share this post


Link to post
Share on other sites
Ok

Well to log out, you click on a link that brings you to "[b]index.php?lo=t[/b]"

The website has areas where users can have their own customised HTML

Somone could easily put a link like this "[b]<a href="index.php?lo=t">Click here to go to my webpage</a>[/b]", but this link would instead log the viewer out.

How can I verify that the "Log Out" button is being pressed only from where I want it to be pressed?

Share this post


Link to post
Share on other sites
echo "<a href='index.php?lo=t&sess_id=" . $PHPSESSID."'>Logout</a>";

then check to see if sess_id exists and if so check to see if it matches up with the session id

this of course assumes that your allowing of custom html does not include allowing them to insert their own php as well...

Share this post


Link to post
Share on other sites
$PHPSESSID is an empty variable... I end up with the link [b]index.php?lo=t&v=[/b] with nothing afterwards!

Thanks

Sam

Share this post


Link to post
Share on other sites
Ok I did it using session_id() instead of $PHPSESSID

Thanks everyone!

Sam

Share this post


Link to post
Share on other sites
sorry. i meant this:

[code]
echo "<a href='index.php?lo=t&sess_id=" . session_id() ."'>Logout</a>";
[/code]

i usually do like this: $PHPSESSID = session_id();

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.