D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] PHP Session problems

 

Anton Channing wrote:

> But what if you've revoked the users admin
> privileges in the mean time?  They will still
> have an active cookie.  Your method is
> insecure.
> 
> Unless you check permissions every page load,
> you don't know if they are up to date.
> 
> What if a banned ex-admin has kept a session
> open?  Unlikely scenario, but it pays to think
> about these things in advance.

Or what if a user decides to give themselves admin
privileges by hacking the cookie to change their
user type?  OK, so they'd have to guess the exact
string, but it's not exactly difficult, is it?

James

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html