Page 4 of 4
Posted: Fri Dec 12, 2003 6:49 am
by JayBird
i don't think that just calling $username would work unless register global is on. you would need to call it using $_SESSION['username']
Mark
Posted: Fri Dec 12, 2003 6:50 am
by malcolmboston
this thread > saved for later reading
thank you bech, always helping us n00bs
cheers mate
Posted: Fri Dec 12, 2003 6:50 am
by JayBird
if you have ICQ and wanna chat through there later (evening) then feel free
My number is 8172414
Mark
Posted: Fri Dec 12, 2003 6:53 am
by malcolmboston
thank you v-much, ill take you up on that
im just waiting for a couple of my threads to be replied to and then im off home to try this out, honestly if this works i will have faith again in PHP
This stupid problem has been troubling me for months now, and i think this is a pretty secure way of doing it, (unless session is hijacked or sniffed packets, coz i dont have SSL, and dont need it)
if it works, youve saved my life
cheers
Posted: Fri Dec 12, 2003 9:41 am
by aquila125
You have to change $username to $_SESSION['username']... then it should work..
for being safe from SESSION hijacking, don't just keep the username in the Session, but also the IP the user has used to login (so in login.php just put $_SESSION['remote_addr']=$_SERVER['REMOTE_ADDR']

Everytime you check if the user has logged in, also check that his IP is still the same as in your session... no hijacking possible...
Posted: Sun Dec 14, 2003 12:30 pm
by malcolmboston
hey man
damn good idea!
i was worried about something like that, pretty simple answer actually
btw it all worked
but view my other post
