harmor19
01-13-2006, 02:31 PM
When I make a login script for myself I check if the username and password match then I set the session.
I use this to check the session
if(empty($_SESSION['username']))
{
echo "You are not logged in";
die();
}
But it just hit me that I can create a fake session on a different script.
I could use
$_SESSION['username'] = "haha";
I tested this with PHPTriad with PHP 4.4.1 (I downloaded the php package and replace the default package.
I'm not sure if it's possible to pass sessions from completely different urls.
eg.
From "my_site.com/fake_session.php" To "some_other_site.com/check_login.php"
Can you help me make it more secure.
I use this to check the session
if(empty($_SESSION['username']))
{
echo "You are not logged in";
die();
}
But it just hit me that I can create a fake session on a different script.
I could use
$_SESSION['username'] = "haha";
I tested this with PHPTriad with PHP 4.4.1 (I downloaded the php package and replace the default package.
I'm not sure if it's possible to pass sessions from completely different urls.
eg.
From "my_site.com/fake_session.php" To "some_other_site.com/check_login.php"
Can you help me make it more secure.