[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] PHP Session problems

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] PHP Session problems
From: James Fidell <james@xxxxxxxxxxxx>
Date: Fri, 11 May 2007 00:03:00 +0100

Anton Channing wrote:

> But what if you've revoked the users admin
> privileges in the mean time?  They will still
> have an active cookie.  Your method is
> insecure.
> 
> Unless you check permissions every page load,
> you don't know if they are up to date.
> 
> What if a banned ex-admin has kept a session
> open?  Unlikely scenario, but it pays to think
> about these things in advance.

Or what if a user decides to give themselves admin
privileges by hacking the cookie to change their
user type?  OK, so they'd have to guess the exact
string, but it's not exactly difficult, is it?

James

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

Follow-up: Re: [LUG] PHP Session problems
- From: Anton Channing

References:
- [LUG] PHP Session problems
  - From: Robin Cornelius
- Re: [LUG] PHP Session problems
  - From: Neil Williams
- Re: [LUG] PHP Session problems
  - From: Anton Channing
- Re: [LUG] PHP Session problems
  - From: Robin Cornelius
- Re: [LUG] PHP Session problems
  - From: Anton Channing

Prev by Date: Re: [LUG] Are we too technical for our own good ?
Next by Date: Re: [LUG] W2K repair
Previous by thread: Re: [LUG] PHP Session problems
Next by thread: Re: [LUG] PHP Session problems
Index(es):
- Date
- Thread