Page 4 of 4

Posted: Fri Dec 12, 2003 6:49 am
by JayBird
i don't think that just calling $username would work unless register global is on. you would need to call it using $_SESSION['username']

Mark

Posted: Fri Dec 12, 2003 6:50 am
by malcolmboston
this thread > saved for later reading

thank you bech, always helping us n00bs :oops:

cheers mate

Posted: Fri Dec 12, 2003 6:50 am
by JayBird
if you have ICQ and wanna chat through there later (evening) then feel free

My number is 8172414

Mark

Posted: Fri Dec 12, 2003 6:53 am
by malcolmboston
thank you v-much, ill take you up on that

im just waiting for a couple of my threads to be replied to and then im off home to try this out, honestly if this works i will have faith again in PHP :D

This stupid problem has been troubling me for months now, and i think this is a pretty secure way of doing it, (unless session is hijacked or sniffed packets, coz i dont have SSL, and dont need it)

if it works, youve saved my life
cheers

Posted: Fri Dec 12, 2003 9:41 am
by aquila125
You have to change $username to $_SESSION['username']... then it should work..

for being safe from SESSION hijacking, don't just keep the username in the Session, but also the IP the user has used to login (so in login.php just put $_SESSION['remote_addr']=$_SERVER['REMOTE_ADDR'];)
Everytime you check if the user has logged in, also check that his IP is still the same as in your session... no hijacking possible...

Posted: Sun Dec 14, 2003 12:30 pm
by malcolmboston
hey man

damn good idea!

i was worried about something like that, pretty simple answer actually :P
btw it all worked

but view my other post :oops: