can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • NotGiven
    #1

    can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?



    Tags: None
    • somaBoy MX
      #2
      Re: can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?


      "NotGiven" <noname@nonegiv en.net> wrote...
      : [nothing]

      1. don't post your entire question in the subject line
      2. don't multipost
      3. You can encrypt session vars with an md5() hash, for example. This will
      make spoofing a lot more difficult.


      ..soma


        Comment

        • Jochen Daum
          #3
          Re: can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?

          Hi!

          On Thu, 20 Nov 2003 00:02:25 +0100, "somaBoy MX" <none@nonesuch. net>
          wrote:
          [color=blue]
          >3. You can encrypt session vars with an md5() hash, for example. This will
          >make spoofing a lot more difficult.[/color]

          I think its not necessary, as only already md5'ed session id gets
          transported.

          HTH, Jochen
          --
          Jochen Daum - CANS Ltd.
          PHP DB Edit Toolkit -- PHP scripts for building
          database editing interfaces.
          PHP DB Edit Toolkit
          http://sourceforge.net/projects/phpdbedittk/
          Download PHP DB Edit Toolkit for free. PHP DB Edit Toolkit is a set of PHP classes makes the generation of database edit interfaces easier and faster. The main class builds tabular and form views based on a data dictionary and takes over handling of insert/update/delete and user input.

            Comment

            • kafooey
              #4
              Re: can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?

              On Wed, 19 Nov 2003 13:10:21 -0500, "NotGiven" <noname@nonegiv en.net>
              wrote:>

              Use $_SESSION["HTTP_REFER ER"]

              The above server variable will tell you the page they arrived from.
              You commonly use it in a script page to return to the form that
              submitted towards it.



              kafooey
              - kafooey@nospam. yahoo.co.uk
              - http://www.pluggedout.com/blog

                Comment

                • Jonathan
                  #5
                  Re: can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?

                  Hi,
                  [color=blue]
                  > 1. don't post your entire question in the subject line
                  > 2. don't multipost
                  > 3. You can encrypt session vars with an md5() hash, for example. This will
                  > make spoofing a lot more difficult.[/color]

                  I agree, but to answer the question: yes you could use sessions to check if
                  a page was previously viewed. You could on one page initialize the session,
                  on the next page (the one that should be viewed before going on) set a var
                  in the session:

                  $_SESSION['pageviewed'] = true;

                  And on the third page you could check if this var is set:

                  if ($_SESSION['pageviewed']!=true) { die("Cheater!") ; }

                  Remember you have to do a session_start on every page you use a session and
                  it should be done before any output is send to the browser.

                  Bye,
                  Jonathan


                    Comment

                    Previous template Next
                    Working...